b'   October 17, 2002\n\n\n\n\nAcquisition\n\nImplementation of Interoperability\nand Information Assurance Policies\nfor Acquisition of DoD Weapon\nSystems\n(D-2003-011)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax\n  (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                         Communications, and Intelligence)\nC3I                   Command, Control, Communications, and Intelligence\nC4I                   Command, Control, Communications, Computers, and\n                         Intelligence\nCRD                   Capstone Requirements Document\nDISA                  Defense Information Systems Agency\nGIG                   Global Information Grid\nJCPAT                 Joint Command, Control, Communications, Computers, and\n                         Intelligence Program Assessment Tool\nJITC                  Joint Interoperability Test Command\nKPP                   Key Performance Parameter\nORD                   Operational Requirements Document\nTEMP                  Test and Evaluation Master Plan\nUSJFCOM               U.S. Joint Forces Command\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-011                                                  October 17, 2002\n   (Project No. D2002AE-0009)\n\n                    Implementation of Interoperability and\n                      Information Assurance Policies for\n                     Acquisition of DoD Weapon Systems\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Policy makers, milestone decision\nmakers, combat and materiel developers, and testers responsible for interoperability and\ninformation assurance requirements of DoD weapon systems should be interested in this\nreport. This report addresses the importance of adhering to DoD interoperability and\ninformation assurance policies to reduce the risk of DoD weapon systems not being\ninteroperable and able to exchange information in a secure manner with other DoD and\nallied systems.\n\nBackground. This report is the first in a series of reports on the implementation of\ninteroperability and information assurance policies for the acquisition of DoD weapon\nsystems. Other reports in the series will address how effectively the Army, Navy,\nAir Force, and Unified Commands implement those policies. Interoperability and\ninformation assurance policies include the Joint Vision 2020 and the Global Information\nGrid capstone requirement document.\n\nResults. The Department faces a difficult challenge in achieving interoperability\nbetween DoD systems and needs congruent and effective mechanisms to measure and\noversee its progress. Without consistent guidance that makes combat and materiel\ndevelopers analyze programs using an operational architecture view, the DoD is at risk\nof developing systems that operate independently of other systems and of not fully\nrealizing the benefits of interoperable DoD systems to satisfy the needs of the\nwarfighter as outlined in Joint Vision 2020. Implementing a process that timely\nintegrates revisions for interoperability and information assurance policies into the\napplicable DoD and Chairman of the Joint Chiefs of Staff interoperability and\ninformation assurance policies; establishing criteria and procedures for placing DoD\nsystems on the Interoperability Watch List; comparing the operational requirements\ndocuments (ORDs) of proposed DoD systems against the other ORDs in the related\nmission area architecture; updating the Joint Command, Control, Communications,\nComputers, and Intelligence Program Assessment Tool (JCPAT) database and\ncontrolling user access; and defining and implementing a plan to test critical operational\nissues for DoD systems in the Global Information Grid should better enable DoD to\nimplement interoperability and information assurance policies. (See the Finding section\nof this report for the detailed recommendations.)\n\nManagement Comments and Audit Response. We received comments from the\nDirector, Interoperability, Office of the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics; the Director, Architecture and Interoperability, Office of\nthe Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) (ASD[C3I]); the Inspector General, Office of the Commander, U.S. Joint\n\x0cForces Command (USJFCOM); the Director, Operational Test and Evaluation; the\nInspector General, Defense Information Systems Agency (DISA); the Director, Joint\nStaff; and the Co-Chair, Interoperability Senior Review Panel.*\n\nThe Director, Interoperability neither concurred nor nonconcurred with the\nrecommendation concerning timely revisions of interoperability and information\nassurance policies; however, he suggested revisions to the recommendation, which we\nmade. The Director, Architecture and Interoperability concurred with the\nrecommendation concerning timely revisions of interoperability and information\nassurance policies and neither concurred nor nonconcurred with the recommendation\nconcerning the implementation of the Interoperability Watch List. The Inspector\nGeneral, USJFCOM stated that USJFCOM neither concurred nor nonconcurred with\nthe recommendation concerning the comparison of ORDs; however, he suggested\nrevisions to the recommendation, which we made. The Inspector General added that\nthe USJFCOM is currently not funded or resourced to perform the in-depth review of\nthe ORD, as recommended. The Director, Operational Test and Evaluation partially\nconcurred with the recommendations concerning the implementation of the\nInteroperability Watch List and the testing of critical operational issues. The Director,\nJoint Staff concurred with the report, subject to the incorporation of his comments on\nthe recommendations concerning interoperability and information assurance policies,\nthe Interoperability Watch List, and limiting JCPAT access. The Director also stated\nthat the DoD is not effectively structured to effect the organizing, training, and\nequipping of joint capabilities. Further, he stated that a joint process was not\nestablished to delineate who is responsible and accountable for developing and\nacquiring joint command and control systems and integrating capabilities. The\nCo-Chair, Interoperability Senior Review Panel agreed with the need for timely\nrevisions of interoperability and information assurance policies, the implementation of\nthe Interoperability Watch List, the comparison of ORDs, the use of qualification\nanalysis and predictive tools, and the testing of critical operational issues. Further, the\nCo-Chair supported the position of the Joint Staff regarding the JCPAT. (See the\nFinding section of this report for a discussion of the management comments and the\nManagement Comments section of the report for the complete text of the comments.)\n\nBecause we received varied comments from the senior leadership of the Interoperability\nSenior Review Panel to the recommendations, often without a coordinated corrective\naction plan, we redirected those recommendations to the Co-Chair, Interoperability\nSenior Review Panel and request that he comment on how the Panel will implement a\nprocess that timely integrates revisions for interoperability and information assurance\npolicies; will establish a clearly defined process and criteria for the Interoperability\nWatch List; will employ a process and resources, including quantification analysis and\npredictive tools, to compare the ORDs of proposed DoD systems against the other\nORDs in the related mission area architecture; will update or archive JCPAT\ndocuments; and will limit JCPAT access. Therefore, we request that the Co-Chair,\nInteroperability Senior Review Panel provide comments on this final report by\nDecember 16, 2002.\n\n\n\n\n*\n The Interoperability Senior Review Panel is composed of senior leaders from the Offices of the Under\nSecretary of Defense for Acquisition, Technology, and Logistics; the ASD(C3I); the Joint Staff; the\nUSJFCOM; the Director for Programs, Analysis, and Evaluation; and the Director, Operational Test and\nEvaluation.\n\n                                                 ii\n\x0cTable of Contents\n\nExecutive Summary                                                             i\n\nIntroduction\n     Background                                                               1\n     Objectives                                                               3\n\nFinding\n     Adequacy of the Interoperability and Information Assurance Process       4\n\nAppendixes\n     A. Scope and Methodology                                                27\n           Prior Coverage                                                    28\n           Other Matters of Interest                                         28\n     B. Definitions of Technical Terms                                       30\n     C. Interoperability Action Plan of the Under Secretary of Defense for\n           Acquisition, Technology, and Logistics for Command and\n           Control Systems                                                   36\n     D. Global Information Grid                                              38\n     E. Multiple Factors Affecting the Implementation of Interoperability\n           Requirements in the Weapon System Development Process             40\n     F. Interoperability and Information Assurance Policies                  43\n     G. DoD System Interoperability Requirements Review Process              50\n     H. Organizations with Access to the Joint Command, Control,\n           Communications, Computers, and Intelligence Program\n           Assessment Tool                                                   53\n     I. Response to Office of the Secretary of Defense and Defense Agency\n           Comments Concerning the Report                                    55\n     J. Report Distribution                                                  64\nManagement Comments\n     Under Secretary of Defense for Acquisition, Technology, and Logistics   67\n     Assistant Secretary of Defense (Command, Control, Communications,\n        and Intelligence)                                                    69\n     U.S. Joint Forces Command                                               73\n     Director, Operational Test and Evaluation                               79\n     Defense Information Systems Agency                                      81\n     Joint Staff                                                             85\n     Interoperability Senior Review Panel                                    91\n\x0cBackground\nThis report is the first in a series of reports on the implementation of\ninteroperability and information assurance policies for the acquisition of DoD\nweapon systems. This report addresses the implementation of those policies by\nthe Office of the Secretary of Defense and Defense agencies, the interoperability\nrequirements process, and the oversight thereof. Subsequent reports will\ndiscuss the adequacy of interoperability key performance parameters (KPPs) and\nthe interoperability certification process for DoD systems, including national\nsecurity systems in the Army, Navy, Air Force, and unified combatant\ncommands. Appendix B provides definitions of technical terms used in this\nreport.\n\nChairman of the Joint Chiefs of Staff Testimony on the President\xe2\x80\x99s\nProposed Defense Program for FYs 2003 to 2007. On February 5, 2002,\nGeneral Myers, the Chairman of the Joint Chiefs of Staff, testified before the\nU.S. Senate Committee on Armed Services on interoperability. General Myers\ndescribed how Navy, Air Force, and Marine Corps systems shared information\nto execute combat operations in Afghanistan. He testified that:\n           To fulfill our range of commitments and protect our global interests,\n           we must make the investments necessary to maintain the quality of\n           our force while preparing for future challenges of the 21st century.\n           The best means of accomplishing these goals, in my mind, are to,\n           one, improve our joint war-fighting capabilities, and two, to\n           transform the armed forces of America into a 21st century force.\n\nGeneral Myers further testified that DoD should conceive, design, and produce\nnew systems with joint warfighting requirements in mind. DoD needs to view\nnew systems as interchangeable modules that can be used in any situation and in\nany command arrangement. General Myers believed the area with the greatest\npotential is in command, control, communications, computers, intelligence,\nsurveillance and reconnaissance.\n\nQuadrennial Defense Review. On September 2001, the Quadrennial Defense\nReview report stated that achieving the objectives of the defense strategy\nrequires the transformation of the U.S. Armed Forces. Two of the six critical\noperational goals for the DoD transformational efforts relate to information\nassurance and interoperability.\n\n       \xe2\x80\xa2   Assuring that, in the face of attack, information systems conduct\n           effective information operations.\n\n       \xe2\x80\xa2   Leveraging information technology and innovative concepts to\n           develop interoperable, joint command, control, communications,\n           computers, intelligence, surveillance, and reconnaissance\n           architectures and capability that includes a tailorable joint operational\n           picture.\n\n\n\n\n                                        1\n\x0cAdditionally, as stated in the Quadrennial Defense Review report,\n           To support joint and combined command and control and to enable a\n           common relevant operational picture of the battlespace, the\n           Department will enhance end-to-end interoperable communications for\n           secure planning and operations. These communications will provide\n           shared situational awareness and integration of joint fires, maneuver,\n           and intelligence. They must be interoperable across all components\n           and tailorable for coalition operations with other countries.\n\nJoint Vision 2020. On May 30, 2000, the Chairman of the Joint Chiefs of Staff\nsigned Joint Vision 2020, which addressed the concept, design, and production\nof systems with joint warfighting requirements. Joint Vision 2020 describes in\nbroad terms a future joint force whose operational capabilities will be required\nto succeed across the full range of military operations and accomplish missions\nin the year 2020 and beyond. Joint Vision 2020 states that interoperability is a\nmandate for the future joint force especially for communications, common\nlogistics items, and information sharing. Information systems and equipment\nthat enable a common, relevant operational picture must work from shared\nnetworks that can be accessed by any appropriately cleared participant. As an\nexample, Appendix C details the action plan that the Director for\nInteroperability, Office of the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics is planning to execute for command and control\nsystems.\n\nAnother tenet of Joint Vision 2020 is to attain information superiority.\nInformation superiority gets the right information to the right people, at the right\ntime, and in the right format, resulting in a vastly improved shared\nunderstanding of the situation. Joint Vision 2020 emphasizes the following\ninformation superiority goals:\n\n       \xe2\x80\xa2   implement effective programming for establishing information\n           assurance and critical infrastructure protection, and\n\n       \xe2\x80\xa2   build a coherent Global Information Grid (GIG).\n\nGlobal Information Grid. In November 1999, the Joint Chiefs of Staff\nassigned the Commander, U.S. Joint Forces Command (USJFCOM) the task of\npreparing the capstone requirements document (CRD) for the GIG. On\nAugust 30, 2001, the Joint Requirements Oversight Council approved the CRD,\nwhich describes the overarching information capability requirements for a\nglobally interconnected, end-to-end, interoperable, and secured\nsystem-of-systems that would support the Secretary of Defense, warfighters,\nDoD personnel, the intelligence community, policy makers, and non-DoD users\nat all levels involved in military and nonmilitary operations. Appendix D\nprovides a detailed description of the GIG.\n\nCommon Interoperable and Secure Systems. To attain Joint Vision 2020 and\nGIG compliance and reduce the risk of building stand-alone or \xe2\x80\x9cstovepipe\xe2\x80\x9d\nsystems, the Defense agencies and the Military Departments are required to\ndevelop and retrofit DoD systems into common interoperable and secure\nsystems. Information assurance is required to protect, defend, and ensure the\n\n                                        2\n\x0c     availability of information and information systems. Interoperability is required\n     to provide the ability of systems to exchange data effectively. Together,\n     information assurance and interoperability comprise the basis for achieving\n     network centric warfare, information superiority, decision superiority, and full\n     spectrum dominance, as defined in Joint Vision 2020. The DoD faces a\n     complex challenge in achieving an effective coexistence between interoperability\n     and information assurance within the context of Joint Vision 2020 and the GIG.\n     Appendix E shows the multiple factors affecting the implementation of\n     interoperability requirements in the weapon system development process.\n\nObjectives\n     The primary audit objective was to evaluate whether the Office of the Secretary\n     of Defense and the Defense agencies were effectively implementing DoD\n     interoperability and information assurance policies. Subsequent reports will\n     discuss the adequacy of interoperability KPPs and the interoperability\n     certification process for DoD systems, including national security systems in the\n     Army, Navy, Air Force, and unified combatant commands. See Appendix A\n     for a discussion of the audit scope and methodology, and prior coverage related\n     to the audit objectives.\n\n\n\n\n                                         3\n\x0c                     Adequacy of the Interoperability and\n                     Information Assurance Process\n                     The Department faces a difficult challenge in achieving interoperability\n                     between DoD systems and needs congruent and effective mechanisms to\n                     measure and oversee its progress. The Department did not have\n                     fundamental mechanisms that are consistently applied or established\n                     because:\n\n                              \xe2\x80\xa2    The Assistant Secretary of Defense (Command, Control,\n                                   Communications, and Intelligence) (ASD[C3I]) had\n                                   interoperability policies in the 1992 version of DoD\n                                   Instruction 4630.8, \xe2\x80\x9cProcedures for Compatibility,\n                                   Interoperability, and Integration of Command, Control,\n                                   Communications, and Intelligence (C3I) Systems,\xe2\x80\x9d that were\n                                   inconsistent with Chairman of the Joint Chiefs of Staff\n                                   Instruction 6212.01B, \xe2\x80\x9cInteroperability and Supportability of\n                                   National Security Systems, and Information Technology\n                                   Systems,\xe2\x80\x9d May 8, 2000. During the audit, on May 2, 2002,\n                                   DoD updated DoD Instruction 4630.8, \xe2\x80\x9cProcedures for\n                                   Interoperability and Supportability of Information Technology\n                                   (IT) and National Security Systems (NSS),\xe2\x80\x9d1 to rectify the\n                                   policy implementation inconsistencies in the earlier version.\n\n                              \xe2\x80\xa2    The Commander, USJFCOM did not analyze interoperability\n                                   and information assurance requirements in the operational and\n                                   system architectures for DoD systems as part of the\n                                   interoperability certification process2 for operational\n                                   requirements documents (ORDs).3\n\n                              \xe2\x80\xa2    The Director, Command, Control, Communications, and\n                                   Computers Systems Directorate (J-6) (the Joint Staff J-6) had\n                                   not updated the Joint Command, Control, Communications,\n                                   Computers, and Intelligence Program Assessment Tool\n                                   (JCPAT) database to include all interoperability certifications;\n                                   Test and Evaluation Master Plans (TEMPs); and Command,\n                                   Control, Communications, Computers, and Intelligence (C4I)\n                                   support plans for DoD systems.\n\n\n1\n    Title of instruction changed as a result of the update.\n2\n Two interoperability certifications exist; the first for requirements and supportability documents and the\nsecond for interoperability certification testing. The Chairman of the Joint Chiefs of Staff (J-6) and the\nJoint Interoperability Test Command are responsible for requirements and supportability document\ncertification and for interoperability certification testing, respectively.\n3\n The updated DoD Instruction 4630.8 assigned USJFCOM with the responsibility to collect, consolidate,\nand prioritize the information technology and national security systems\xe2\x80\x99 interoperability and\nsupportability requirements for emerging and fielded Joint Task Force systems using input from Defense\nagencies and Military Departments.\n\n\n                                                         4\n\x0c                    \xe2\x80\xa2   The Chairman of the Joint Chiefs of Staff; the Under\n                        Secretary of Defense for Acquisition, Technology, and\n                        Logistics; the ASD(C3I); and the Commander, U.S. Joint\n                        Forces Command, in coordination with the Director,\n                        Operational Test and Evaluation, had not established criteria\n                        for the Defense agencies and the Military Departments to\n                        place DoD systems on the Interoperability Watch List.\n\n                    \xe2\x80\xa2   The Director, Operational Test and Evaluation had not\n                        completed a plan to include testing of critical operational\n                        issues addressing interoperability and information assurance\n                        in the Global Information Grid.\n\n            Without consistent guidance that makes combat and materiel developers\n            analyze programs using an operational architecture view, the DoD is at\n            risk of developing systems that operate independently of other systems\n            and of not fully realizing the benefits of interoperable DoD systems to\n            satisfy the needs of the warfighter as outlined in Joint Vision 2020.\n            However, the recent DoD revisions of policies in achieving\n            transformation through interoperability may have consolidated some\n            fragmented activities.\n\nInteroperability and Information Assurance Policies\n     The following provides an overview of DoD and Joint Staff policies concerning\n     interoperability and information assurance. Appendix F provides a detailed\n     discussion of the policy.\n\n     Interoperability Policy. The DoD and Joint Staff established policy guidance\n     concerning interoperability during the requirements and acquisition processes.\n\n              DoD Policy. The policy requires that joint, combined, coalition, and\n     interagency missions must be supported through interoperable information\n     technology and national security systems in global operations across the\n     peace-conflict spectrum. All information technology and national security\n     systems for U.S. Forces use are to be considered for use by joint, allied, and\n     other U.S. Government departments and agencies. Information technology and\n     national security systems\xe2\x80\x99 interoperability and supportability requirements are to\n     be identified through the mission area integrated architectures. Interoperability\n     requirements are required to be managed, evaluated, and reported throughout\n     the life of the system. All DoD acquisition category programs will use a C4I\n     Support Plan to document interoperability requirements. Additionally,\n     interoperability and supportability requirements are required to be balanced with\n     the need for information assurance.\n\n            Joint Staff Policy. The policy states that interoperability KPPs in an\n     ORD define the level of interoperability for the proposed system and that ORDs\n     must be certified before each milestone, regardless of acquisition category, for\n     conformance with joint national security systems and interoperability standards.\n\n\n                                         5\n\x0c           Failure to meet a KPP can be cause for the system to be reevaluated or the\n           program to be reassessed or terminated. In addition, USJFCOM is to provide\n           comments to the Joint Staff J-6 on interoperability issues for all acquisition\n           category programs to ensure that each ORD contains information exchange\n           requirements and operational views. Combatant commanders,4 Military\n           Departments, and DoD agencies are to incorporate interoperability testing into\n           their overall testing plans in coordination with DISA and the Joint\n           Interoperability Test Command (JITC). Further, JITC is to certify test results\n           for all interoperability system tests. The Joint Staff J-6 issues an interoperability\n           system validation memorandum based on the testing reports from the JITC.\n\n           Information Assurance Policy. The DoD and Joint Staff established policy\n           guidance concerning information assurance during the acquisition process.\n\n                   DoD Policy. The policy established the DoD Information Technology\n           Security Certification and Accreditation Process (the Process) for security\n           certification and accreditation of unclassified and classified information\n           technology. The Process sets forth the activities and management structure to\n           certify and accredit information technology systems that will maintain the\n           security posture of the Defense Information Infrastructure. Further, the\n           Director, Operational Test and Evaluation is not to approve test plans unless\n           they contain a well-defined strategy for addressing information assurance\n           concerns.\n\n                   Joint Staff Policy. The policy states that information assurance is\n           required for all DoD systems that are used to enter, process, store, display, or\n           transmit DoD information, regardless of classification or sensitivity.\n           Information assurance requirements are to be codeveloped and coevolved with\n           those for information interoperability. The policy also states that information\n           assurance is critical to the military\xe2\x80\x99s ability to conduct warfare and is the\n           responsibility of all modern warfighters; a risk assumed by one organization, at\n           any organization level, can be a risk imposed on all organizations. Therefore,\n           the requirement for implementing information assurance applies at all DoD\n           organization levels. Further, information assurance for DoD information\n           systems and networks requires a strategy that integrates the capabilities of\n           people, operations, and technology to ensure survivability and mission\n           accomplishment.\n\nEvaluation of Interoperability and Information Assurance\n  Policy\n           The ASD(C3I) had interoperability policies that were inconsistent with those of\n           the Chairman of the Joint Chiefs of Staff. Appendix F identifies the\n           interoperability and information assurance policies that the Defense agencies and\n           the Military Departments must implement. Appendix G provides a flow chart of\n           the interoperability requirements review process for DoD weapon systems.\n\n4\n    Formerly commanders-in-chief.\n\n\n                                                 6\n\x0cInconsistent Policy. DoD had issued at least six separate policy documents for\ninteroperability and at least three separate policy documents for information\nassurance because DoD dispersed authority for interoperability and information\nassurance policy to various organizations within the Office of the Secretary of\nDefense. Specifically, directorates in the offices of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics; the ASD(C3I); the\nDirector, Operational Test and Evaluation; and the Joint Staff had established\ninteroperability and information assurance policies and instructions that apply to\nDoD. The DoD interoperability and information assurance policies and\ninstructions describe processes for reviewing system interoperability\nrequirements during the requirement generation stage and require that the\ninteroperability of system architectures be tested to ensure that information\ntechnology and national security systems communicate.\n\nDuring the audit, ASD(C3I) updated DoD Directive 4630.5, \xe2\x80\x9cInteroperability\nand Supportability of Information Technology (IT) and National Security\nSystems (NSS)\xe2\x80\x9d and DoD Instruction 4630.8 on January 11 and May 2, 2002,\nrespectively, because the outdated DoD Directive and Instruction had not been\nupdated for 10 years. Both updated policies canceled the previous versions\nsigned in 1992. Updates in 2002 to the DoD Instruction resolved the\ninconsistencies and synchronized policies and instructions for the first time.\n\nInformation Assurance Policy. The level of information assurance controls\nvaried throughout the DoD because no standard methodology existed to measure\nthe progress of information assurance, and no DoD-wide information security\nplan was implemented to protect and defend the DoD systems and networks,\naccording to prior Inspector General of the Department of Defense reviews.\nThe Inspector General of the Department of Defense in Report No. D-2001-182,\n\xe2\x80\x9cInformation Assurance Challenges,\xe2\x80\x9d stated that until DoD implements a\nconsolidated policy approach to information assurance and fully incorporates\ninformation assurance requirements into its ongoing architectural efforts,\nsecurity policies and procedures will continue to be fragmented, and DoD\nComponents will continue to provide varied and inconsistent levels of\ninformation assurance. Consolidating information assurance policy would\neliminate the need to keep all other DoD information assurance policies updated.\nWe will review specific requirements in upcoming audits, as discussed in\nAppendix A, \xe2\x80\x9cOther Matters of Interest.\xe2\x80\x9d\n\nRevisions to Guidance. When the Chairman of the Joint Chiefs of Staff revised\ninteroperability policies, those revisions were not immediately reflected in DoD\nInstruction 4630.8. However, during this audit, DoD updated the policies to\nreduce inconsistent attributes that would confuse those who will be required to\nimplement interoperability and information assurance policies. Furthermore,\nthe Office of the Secretary of Defense, in conjunction with the Chairman of the\nJoint Chiefs of Staff, should implement a process that timely updates all\ninteroperability and information assurance policies when interoperability or\ninformation assurance policy revisions occur.\n\n\n\n\n                                     7\n\x0cInteroperability Requirements\n         Public Law. Section 922, Public Law 105-261, \xe2\x80\x9cStrom Thurmond National\n         Defense Authorization Act for Fiscal Year 1999,\xe2\x80\x9d expressed the sense of\n         Congress concerning joint warfighting experimentation. In that provision,\n         Congress discussed the designation of a commander of a combatant command to\n         have the mission of joint warfighting experimentation, as a key step in\n         exploiting advanced technologies, new organizational structures and new joint\n         operational concepts to transform the conduct of military operations by the U.S.\n         Armed Forces. Congress also expressed its sense that such a commander should\n         be provided with appropriate and sufficient resources for joint warfighting\n         experimentation and listed the responsibilities and authorities that should\n         accompany that designation, including improving interoperability; reducing\n         unnecessary redundancy; synchronizing technology fielding; and making\n         recommendations to the Chairman of the Joint Chiefs of Staff on mission needs\n         statements and operational requirements documents. Section 485, title 10,\n         United States Code, was added by section 923 of Public Law 105-261 to provide\n         for an annual reporting requirement from the combatant commander to the\n         Secretary, and then to the Congress, on the joint experimentation efforts for\n         each preceding fiscal year.\n\n         Comparison of ORDs to Joint Mission Architectures. The DoD designated\n         the Commander, USJFCOM as the DoD Joint Force Integrator.5 However, the\n         USJFCOM did not compare ORDs to joint mission architectures before system\n         development started. This condition occurred because the USJFCOM, although\n         responsible for conducting interoperability analysis, was not assessing the\n         interoperability requirements within a joint mission architecture and because it\n         did not have the necessary analytical or quantitative modeling and simulation\n         tools. In comments to the report, ASD(C3I) stated that the Joint Staff must\n         refine the joint mission architectures and the subordinate mission areas before\n         USJFCOM can conduct an effective comparative analysis of operational\n         requirements.\n\n         Interoperability Analysis. Chairman of the Joint Chiefs of Staff\n         Instruction 6212.01B requires the USJFCOM to provide comments to the Joint\n         Staff J-6 on interoperability issues for all acquisition category programs so that\n         each ORD contains interoperability KPPs and information exchange\n         requirements. However, the USJFCOM did not analyze the ORD requirements\n         of a proposed DoD system within the context of ORD requirements of other\n         systems with which a proposed DoD system must interoperate and exchange\n         information. Instead of analyzing the ORDs that the system will interoperate\n         with, the USJFCOM stated that it reviews ORDs within the context of CRDs\n         and measures interoperability and integration requirements against ORDs that\n\n\n5\n DoD Instruction 4630.8 states that the USJFCOM, in an expanded role as the DoD Joint Force\nIntegrator, is responsible for enhancing interoperability and joint, combined, and coalition capabilities by\nrecommending changes in doctrine, organizations, training and education, materiel, leader development,\nand personnel.\n\n\n                                                     8\n\x0crelate to CRDs and against other known DoD systems outside the CRDs. The\nupdated DoD Instruction 4630.8 assigns the USJFCOM with the responsibility\nto collect, consolidate, and prioritize the information technology and national\nsecurity systems interoperability and supportability requirements for emerging\nand fielded Joint Task Force systems using input from Defense agencies and\nMilitary Departments. Additionally, the Instruction requires that USJFCOM\nparticipate in the requirements validation process for information technology and\nnational security systems by reviewing and confirming that the interoperability\ninformation exchange requirements and KPPs are sufficient for requirements\ndocuments. This assessment is based on the warfighter\xe2\x80\x99s perspective using joint\nmission area integrated architectures.\n\n         Interoperability Review Assessment. To provide interoperability\ncomments, USJFCOM subject-matter experts analyze ORD requirements against\nqualitative criteria established in Joint Staff policy after receiving the ORD from\nthe Joint Staff J-6. However, the subject-matter experts do not compare the\nproposed system ORD against the ORDs of the systems it must be interoperable\nwith, even if required, because they do not have the necessary analytical or\nquantitative modeling and simulation tools to determine whether the ORD is\nappropriate for the operational or systems architecture. As a result, the\nsubject-matter experts consider a system interoperable if the ORD contains\ninteroperability information exchange requirements and KPPs, but they do not\ndetermine whether the proposed DoD system\xe2\x80\x99s requirements are interoperable\nwith other systems in their intended mission architectures. Therefore, the\nsubject-matter experts conduct only a stand-alone qualitative assessment of the\nORD. The updated DoD Instruction 4630.8 requires that the development of\nmission area integrated architectures be consistent with the products required by\nthe C4I Surveillance and Reconnaissance Architecture Framework. The\nASD(C3I) stated that the updated DoD Instruction 4630.8, combined with\nguidance in the DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major\nDefense Acquisition Programs (MDAPs) and Major Automated Information\nSystem (MAIS) Acquisition Programs,\xe2\x80\x9d April 5, 2002, that requires working\nlevel integrated product teams to develop ORDs and C4I support plans, will\nassist the USJFCOM in the ORD analysis.\n\n        Tools. Modeling, simulations, or relationship databases may provide\nUSJFCOM with the means to synchronize interoperability requirements before\nbeginning system developmental work. Matching ORD interoperability and\ninformation assurance requirements at the beginning is necessary for later\nspecifications, standards, and interfaces to be written in acquisition document\nplans. Without conducting upfront interoperability requirements analysis of\nindividual systems in mission architectures, DoD may be at greater risk of\ndeveloping systems that do not communicate with each other. The Automated\nCommander-in-Chief Integrated System Tool (the Tool) is a DoD initiative\nunder development that could assist the USJFCOM in evaluating interoperability\nrequirements in proposed ORDs during the review process. The Tool is an\nautomated process intended to enable combat developers to build testable and\nmeasurable requirements, develop joint information exchange requirements,\nidentify operational architectures, and build system architectures based on\noperational needs. The Tool could be a mechanism to provide a single,\n\n\n                                     9\n\x0c        integrated, and coherent view of interoperability requirements for the Joint\n        Staff, the Military Departments, and the combatant commands. Accordingly,\n        the USJFCOM could use the Tool or similar mechanism to review the ORD for\n        interoperability requirements within the context of mission architectures.\n        However, all Defense agencies and Military Departments would have to agree\n        to use the Tool or a similar tool as the standard format for requirements sent to\n        USJFCOM.\n\n        Tracking Requirements. The Joint Staff J-6 did not have an updated Joint\n        Command, Control, Communications, Computers, and Intelligence Program\n        Assessment Tool (JCPAT) database to maintain interoperability certifications,\n        TEMPs, C4I support plans, and approved ORDs for DoD systems. Further,\n        after users were granted access to the JCPAT, they had unlimited read access to\n        all information, which raises concerns about the need to know.\n\n                Maintenance of the Database. In May 1999, the Joint Staff established\n        the JCPAT on the Secret Internet Protocol Router Network for DoD\n        organizations to use for tracking and staffing comments while reviewing the\n        requirements during the interoperability certification process, as required in the\n        Chairman of the Joint Chiefs of Staff Instruction 6212.01B. The Joint Staff J-6\n        relies on the DISA to maintain up-to-date documents that contain interoperability\n        and information assurance requirements for DoD systems. The documents\n        maintained include ORDs, CRDs, C4I support plans, and TEMPs. As a result,\n        the JCPAT is a historical database that lists all DoD systems undergoing\n        interoperability requirements certification or that have been certified for\n        interoperability. Further, the JCPAT contains comments made on DoD systems\n        about interoperability concerns.\n\n        When searching for interoperability certified documents in the JCPAT, a user\n        could not be assured that the document located was the most recently certified\n        document. More importantly, the Defense agencies and Military Departments\n        did not forward approved documents, such as the ORD, CRDs, C4I support\n        plans, or TEMP, for inclusion in the JCPAT database. The final approved\n        documents were not consistently maintained in the JCPAT because the Joint\n        Staff J-6 depends on the Joint Requirements Oversight Council and milestone\n        decision authorities to execute the requirement for Stage Three in the\n        requirement certification process.6 Therefore, the DISA and the USJFCOM\n        cannot compare new proposed ORDs to approved ORDs to provide meaningful\n        comments to the Joint Staff J-6 on the proposed ORDs.\n\n        For the JCPAT to be useful, final versions of the documents must be submitted\n        and included in the JCPAT. Further, outdated versions of documents should be\n        archived so that users can locate and obtain the most up-to-date approved\n        documents for making interoperability determinations for DoD systems.\n\n\n\n6\n The Chairman of the Joint Chiefs of Staff Instruction 6212.01B requires posting the document into the\nJCPAT within 15 days after the Joint Requirements Oversight Council or the milestone decision authority\napproves the mission need statement, CRD, or ORD.\n\n\n                                                  10\n\x0c                Access to Database. Appendix H identifies 50 DoD organizations that\n        have access to the JCPAT. In those 50 DoD organizations, 756 users were\n        given access to the JCPAT through a secure network. DISA identified 756 total\n        users; however, it could not designate whether those users were DoD or\n        contractor personnel. As a result, contractors have read-only access to program\n        documentation for which they may not have a need to know.\n\nOversight of Significant Interoperability Deficiencies\n        Interoperability Watch List. DoD policy on the Interoperability Watch List\n        (Watch List) did not define a significant interoperability deficiency that would\n        cause the Office of the Secretary of Defense, the Joint Staff, the Defense\n        agencies, and the Military Departments to place a DoD system on the Watch\n        List.\n\n        Policy. DoD Regulation 5000.2-R states that all major DoD acquisition\n        programs, programs on the Office of the Secretary of Defense Test and\n        Evaluation Oversight list, legacy systems, and all programs and systems that\n        must interoperate with them are subject to interoperability evaluations\n        throughout their life cycles to validate their ability to support mission\n        accomplishment. At their discretion, the Under Secretary of Defense for\n        Acquisition, Technology, and Logistics; the ASD(C3I); the Director,\n        Operational Test and Evaluation; and the Joint Staff (the four signatories)\n        decide, based on the Interoperability Senior Review Panel\xe2\x80\x99s7 recommendations,\n        to place programs and systems deemed to have significant interoperability\n        deficiencies on the Watch List. DoD systems are to remain on the Watch List\n        until program managers take corrective actions to address identified\n        interoperability deficiencies. The Interoperability Senior Review Panel is\n        required to prepare quarterly reports summarizing the activities of DoD systems\n        and programs on the Watch List.\n\n        Inclusion of DoD Systems with Significant Interoperability Deficiencies on\n        the Watch List. Although the policy applies to all programs and systems, as of\n        July 2002, no programs had been or are on the Watch List.8 Further, the\n        Interoperability Senior Review Panel did not prepare any quarterly reports that\n        addressed DoD systems with interoperability testing concerns during FY 2001.\n\n\n7\n The Interoperability Senior Review Panel is composed of senior leaders from the Offices of the Under\nSecretary of Defense for Acquisition Technology and Logistics; the ASD(C3I); the Joint Staff; the\nUSJFCOM; the Director for Programs, Analysis, and Evaluation; and the Director, Operational Test and\nEvaluation.\n8\n The Director, Operational Test and Evaluation stated that the original intent was for organizations, such\nas the Military Communication and Electronics Board, the USJFCOM, and others, to identify DoD\nsystems for the Watch List. The Interoperability Senior Review Panel has discussed criteria. One\ncriteria is the overall impact the lack of interoperability has on a mission area. The Interoperability\nSenior Review Panel has considered the U.S. Air Force Situational Awareness Date Link as a candidate\nfor placement on the Watch List; however, the Interoperability Senior Review Panel has been unable to\nreach consensus on the placing the Situational Awareness Date Link on the Watch List.\n\n\n                                                    11\n\x0c        However, the Director, Operational Test and Evaluation cited interoperability\n        testing concerns for 21 DoD systems in the FY 2001 Annual Test Report to\n        Congress, as shown in the following table.\n\n\n\n\n                             Programs with Interoperability Deficiencies\n                                 in the FY 2001 Annual Test Report\n\n                                                                 Number\n                                       Military                  of DoD\n                                      Department                 Systems\n\n                                      Army                            8\n                                      Navy                            7\n                                      Air Force                       5\n                                      Other DoD                       1\n                                        Total                        219\n\n\n\n\n        The Director, Operational Test and Evaluation stated that identifying\n        interoperability deficiencies in the FY 2001 Annual Report is a positive sign that\n        DoD policies are working and that program managers are now obligated to\n        address the Director, Operational Test and Evaluation concerns before\n        progressing with development and production. Furthermore, the Director,\n        Operational Test and Evaluation stated that many of the systems shown in the\n        table will be tested and validated over a series of already scheduled test events\n        outlined in the applicable system\xe2\x80\x99s TEMP. However, some of the programs\n        were not mature enough in development to address interoperability issues, while\n        other systems were having to \xe2\x80\x9ccatch up\xe2\x80\x9d to recent policies, because the policies\n        were not in existence in the system\xe2\x80\x99s early development phase.\n\n        DoD Regulation 5000.2-R states that DoD systems that have a significant\n        interoperability deficiency may be added to the Watch List. Because the phrase\n        significant interoperability deficiency is ambiguous, a more concise definition is\n        required to determine when a DoD system should be added to the Watch List.\n        The Interoperability Senior Review Panel could use the requirements in DoD\n        Regulation 5000.2-R on interoperability and information assurance as\n\n\n9\n Of the 21 programs, 9 are Acquisition Category I, 8 are Acquisition Category II, and 4 are Acquisition\nCategory III. Those programs are on the Director, Operational Test and Evaluation\xe2\x80\x99s Oversight Watch\nList. The Director, Operational Test and Evaluation stated that, because those programs were on the\nOversight Watch List, many of the system level issues would be resolved at the milestone decision\nreviews. However, he stated that the concern was with the systems not on the Oversight Watch List,\nsuch as Acquisition Category III and IV systems, transitioning advanced concept technology\ndemonstrations, and fielded legacy systems.\n\n\n                                                  12\n\x0c        criteria for determining inclusion of systems on the Watch List. DoD\n        Regulation 5000.2-R requires that DoD system program offices have:\n\n                 \xe2\x80\xa2   an interoperability certification from the Joint Staff J-6,\n\n                 \xe2\x80\xa2   approval of the C4I support plan and information assurance strategy\n                     from the chief information officer,\n\n                 \xe2\x80\xa2   verification that the program manager used the Joint Technical\n                     Architecture standards and guidelines in system development, and\n\n                 \xe2\x80\xa2   an approved Systems Security Authorization Agreement.\n\n        By actively using the Watch List, the DoD would have a method of ensuring\n        compliance with the interoperability and information assurance based on DoD\n        Regulation 5000.2-R requirements. The updated DoD Instruction 4630.8\n        reinforces the establishment of the Watch List.10 However, the revised\n        instruction does not state specific criteria for systems to be included on the\n        Watch List. The phrase \xe2\x80\x9ccritical for mission effectiveness\xe2\x80\x9d allows a broad\n        interpretation.\n\n        Measuring Progress. DoD Regulation 5000.2-R states that when a DoD\n        system is placed on the Watch List, the program office is to provide periodic\n        updates of current status towards correcting identified deficiencies to the\n        Interoperability Senior Review Panel. The program manager, or other\n        cognizant official, and the responsible test organization, in conjunction with\n        JITC, provide those updates. Those updates support an assessment as to\n        whether interoperability issues are being adequately addressed, and whether a\n        status change is warranted; specifically, whether the program or system should\n        be removed from the Watch List, kept on the Watch List, or proposed for test\n        and evaluation oversight. Staff members of the Interoperability Senior Review\n        Panel are to conduct quarterly reviews to determine the program manager\xe2\x80\x99s\n        progress towards addressing identified interoperability deficiencies.\n\n        To strengthen the review process for measuring corrective actions to mitigate\n        the deficiencies, program office corrective actions taken on Acquisition\n        Category I programs and less than Acquisition Category I programs on the\n        Watch List should be discussed in the Defense Acquisition Executive Summary\n        reporting process and during program reviews, respectively.\n\n                Defense Acquisition Executive Summary. DoD Regulation 5000.2-R\n        states that the Defense Acquisition Executive Summary is a multi-part\n        document, which reports program information and assessments; program\n\n10\n  DoD Instruction 4630.8 requires that the Director, Operational Test and Evaluation establish, in\nconjunction with the Under Secretary of Defense for Acquisition, Technology, and Logistics; the DoD\nChief Information Officer; the Chairman of the Joint Chiefs of Staff; and the USJFCOM, an\nInteroperability Watch List to provide DoD oversight for those systems that interoperability is deemed\ncritical to mission effectiveness, but is not being adequately addressed. Systems considered for the\nInteroperability Watch List may be preacquisition systems, acquisition programs (any acquisition\ncategory), already fielded systems, or combatant command-unique procurements.\n\n\n                                                   13\n\x0c     manager, program executive officer, and Component acquisition executive\n     comments; and cost and funding data primarily for Acquisition Category I\n     programs. The Defense Acquisition Executive Summary is an early warning\n     report to the Under Secretary of Defense for Acquisition, Technology, and\n     Logistics and the ASD(C3I), which describes actual program problems, warns\n     of potential program problems, and describes mitigating actions taken. At a\n     minimum, the Defense Acquisition Executive Summary reports program\n     assessments, including interoperability, unit costs, and current estimates, and\n     the status of exit criteria and vulnerability assessments. The Under Secretary of\n     Defense for Acquisition, Technology, and Logistics; the Under Secretary of\n     Defense (Comptroller); Director, Operational Test and Evaluation; the Cost\n     Analysis Improvement Group in the Office of the Secretary of Defense; the\n     Component acquisition executives; and the program executive officers review or\n     assess the Defense Acquisition Executive Summary reports. During those\n     reviews or assessments, we believe those groups should determine whether the\n     program has:\n\n            \xe2\x80\xa2   shown significant interoperability deficiencies,\n\n            \xe2\x80\xa2   been placed on the Watch List, and\n\n            \xe2\x80\xa2   made progress towards correcting the significant interoperability\n                deficiencies to be removed from the Watch List.\n\n     By reviewing significant interoperability deficiencies during the review process,\n     the Defense Acquisition Executive Summary review groups may have focused\n     additional attention on the nine Acquisition Category I programs that have\n     interoperability testing concerns in the FY 2001 Annual Test Report to\n     Congress.\n\n             Program Reviews. At milestone and appropriate program reviews, the\n     milestone decision authority should be focusing additional attention on programs\n     that are on the Watch List to determine whether the program offices are making\n     satisfactory progress towards correcting significant interoperability deficiencies.\n\nTesting Interoperability and Information Assurance\n  Requirements in the Global Information Grid\n     On March 31, 2000, the Deputy Secretary of Defense directed the Director,\n     Operational Test and Evaluation to include critical operational issues addressing\n     interoperability and information assurance in the GIG operational test and\n     evaluation.\n\n     The GIG is not one system, but an end-to-end set of information capabilities,\n     associated processes, and personnel for collecting, processing, storing,\n     disseminating, and managing information on demand to warfighters, policy\n     makers, and support personnel. The GIG includes all owned and leased\n     communication and computing systems, services, software, data, security\n     services, national security systems, and associated services necessary to achieve\n\n\n                                         14\n\x0c         Information Superiority. In this regard, the Director, Operational Test and\n         Evaluation plans to eventually create a joint network to simulate the GIG\n         consisting of equipment at Military Department test facilities.11 That simulated\n         network would show how DoD systems will communicate in a joint and allied\n         environment. However, the Director, Operational Test and Evaluation had not\n         formalized a plan that discusses the required resources needed to construct the\n         network.\n\n         Military Departments, system designers, and system testers need to coordinate\n         their resources to adequately test interoperability and information assurance\n         among DoD systems in the GIG and determine their mission capability in a joint\n         environment. System testers design operational tests around critical operational\n         issues that are derived from operational requirements in the ORD. However,\n         the GIG is based on many DoD systems that work together as an architecture of\n         a mission area. Therefore, testing of interoperability and information assurance\n         in individual DoD systems that are part of the GIG must be included as critical\n         operational issues so that testers will fully test the operational effectiveness and\n         suitability of the individual systems as they operate in the GIG. The Director,\n         Operational Test and Evaluation stated that the challenge is to identify the\n         appropriate architecture and the ability to execute a test that takes into account\n         the scope of that architecture.\n\nConclusion\n         Without consistent guidance that makes combat and materiel developers analyze\n         programs using an operational architecture view, the DoD is at risk of\n         developing systems that operate independently of other systems and of not fully\n         realizing the benefits of interoperable DoD systems to satisfy the needs of the\n         warfighter as outlined in Joint Vision 2020. DoD interoperability and\n         information assurance requirements must become more streamlined and easier to\n         implement. Further, information assurance must be implemented appropriately\n         and commensurate to the level of interoperability required to avoid fielding DoD\n         systems that do not ensure the availability, integrity, authenticity,\n         confidentiality, and nonrepudiation of information. To achieve this objective,\n         combat developers12 must have the capability to conduct analyses of operational\n         requirements at the beginning of a system to determine the interoperability and\n         information assurance effects of new and legacy systems on mission area\n         architectures.13 Without this capability, the combat developers cannot determine\n         which systems need to operate together and whether those systems will be\n         suitable for the warfighter.\n11\n  DoD has funded the development of the Joint Distributed Engineering Plant to coordinate resources for\ntesting. The Director, Operational Test and Evaluation stated that, as the Joint Distributed Engineering\nPlant matures, he will use it for integration testing to provide that larger environment represented by the\nGIG.\n12\n A combat developer is the command or agency that formulates doctrine, concepts, organization\nmakeup, materiel requirements, and objectives. Generically, it represents the user community role in the\nmateriel acquisition process.\n13\n   The ASD(C3I), the Director, Operational Test and Evaluation, and the USJFCOM stated that the\nChairman of the Joint Chiefs of Staff completing joint mission area architectures is critical to achieving\ninteroperability.\n\n                                                    15\n\x0cManagement Comments on the Finding and Audit Response\n    Summaries of management comments on the finding and audit responses are in\n    Appendix I.\n\nRecommendations, Management Comments, and Audit\n  Response\n    Redirected and Revised Recommendations. In response to most of the\n    recommendations, we received varied management comments to the same\n    recommendation, often without a coordinated corrective action plan. Therefore,\n    to collectively resolve the recommendations and to obtain succinct and attainable\n    corrective action, we are redirecting Recommendations 1., 2., 3.a., 3.b., 4.a.,\n    and 4.b. to the Co-Chair, Interoperability Senior Review Panel, which consists\n    of senior leaders from the Offices of the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics; the ASD(C3I); the Joint Staff; the\n    USJFCOM; the Director for Programs, Analysis, and Evaluation; and the\n    Director, Operational Test and Evaluation. Further, in response to comments\n    by the Director, Interoperability, Office of the Under Secretary of Defense for\n    Acquisition, Technology, and Logistics; the Inspector General, USJFCOM; and\n    the Director, Joint Staff, we revised Recommendations 1., 3.a., and 4.b.,\n    respectively, so that:\n\n           \xe2\x80\xa2   the revision process for interoperability and information assurance\n               policies will be jointly implemented instead of coordinated among the\n               applicable organizations;\n\n           \xe2\x80\xa2   the Commander, USJFCOM will compare the ORDs of proposed\n               DoD systems with joint mission area architectures, as they are\n               completed, against the ORDs in the related joint mission area\n               architecture to verify the completeness of stated interoperability\n               requirements; and\n\n           \xe2\x80\xa2   JCPAT access will be limited to users who have a need to know.\n\n    1. We recommend that the Co-Chair, Interoperability Senior Review\n    Panel, in concert with the applicable membership of the Interoperability\n    Senior Review Panel, implement a process that timely integrates revisions\n    for interoperability and information assurance policies into the applicable\n    DoD and Chairman of the Joint Chiefs of Staff interoperability and\n    information assurance policies.\n\n    Director, Architecture and Interoperability, Office of the ASD(C3I),\n    Comments. The Director concurred, stating that his office will work with the\n    Office of the Under Secretary of Defense for Acquisition, Technology, and\n    Logistics and the Joint Staff to implement a process for timely revision and\n\n\n\n                                       16\n\x0csynchronization of DoD interoperability and information assurance policies.\nFurther, the Director stated that the Interoperability Senior Review Panel will be\nused to:\n\n       \xe2\x80\xa2   coordinate the annual review and synchronization and review, if\n           required, for the following policies and implementing instructions\n           that affect interoperability: DoD Directive 4630.5; DoD\n           Instruction 4630.8; Chairman of the Joint Chiefs of Staff\n           Instruction 3170.01B, \xe2\x80\x9cRequirements Generation System,\xe2\x80\x9d April 15,\n           2001; and Chairman of the Joint Chiefs of Staff\n           Instruction 6212.01B; and\n\n       \xe2\x80\xa2   ensure consistency of those policies and implementing instructions\n           with the 5000 series policy documents for acquisition; DoD\n           Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n           Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30,\n           1997; and Chairman of the Joint Chiefs of Staff\n           Instruction 6510.01C, \xe2\x80\x9cInformation Assurance and Computer\n           Network Defense,\xe2\x80\x9d May 1, 2001.\n\nFor the complete text of the Director\xe2\x80\x99s comments, see the Management\nComments section of the report.\n\nDirector, Joint Staff Comments. The Director concurred, subject to the\ninclusion of his comments, and suggested adding the following to the\nrecommendation:\n           We also recommend the implementation of a process which addresses,\n           funds, and implements aspects of joint battle management command\n           and control interoperability and connectively; validation and/or\n           allocation of resources to acquire Joint systems and create offices\n           supporting integration of materiel and non-materiel solutions for\n           broad mission capability areas.\n\nThe Director stated that he made the suggestion because the report did not\naddress the issue that DoD was not effectively structured to organize, train, and\nequip joint capabilities. Further, he stated that a joint process was not\nestablished to delineate who is responsible and accountable for developing and\nacquiring joint command and control systems and integrating capabilities. For\nthe complete text of the Director\xe2\x80\x99s comments, see the Management Comments\nsection of the report.\n\nDirector, Interoperability, Office of the Under Secretary of Defense for\nAcquisition, Technology, and Logistics Comments. The Director neither\nconcurred nor nonconcurred; however, he stated that the wording \xe2\x80\x9cin\ncoordination with\xe2\x80\x9d could be construed to give the ASD(C3I) primacy over the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics and the\nJoint Staff in integrating revisions to all documents related to interoperability.\nFurther, he stated that each of those organizations is responsible for one or more\nof those documents. Therefore, the Director recommended that the phase \xe2\x80\x9cin\ncoordination with\xe2\x80\x9d be changed to \xe2\x80\x9cjointly with\xe2\x80\x9d or that the first four lines be\n\n\n                                      17\n\x0crewritten to read, \xe2\x80\x9cWe recommend that the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence); the Under Secretary of\nDefense for Acquisition, Technology, and Logistics; and the Chairman of the\nJoint Chiefs of Staff jointly implement....\xe2\x80\x9d For the complete text of the\nDirector\xe2\x80\x99s comments, see the Management Comments section of the report.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nagreed, stating that the Interoperability Senior Review Panel will work with the\nJoint Staff to implement a process for timely revision and synchronization of\nDoD policies regarding interoperability and information assurance. In addition,\nhe provided comments similar to those made by the Director, Architecture and\nInteroperability, Office of the ASD(C3I). For the complete text of the\nCo-Chair\xe2\x80\x99s comments, see the Management Comments section of the report.\n\nAudit Response. The comments by the Director, Architecture and\nInteroperability, Office of the ASD(C3I); and the Director, Interoperability,\nOffice of the Under Secretary of Defense for Acquisition, Technology, and\nLogistics were responsive. In response to the Director, Interoperability, we\nrevised the recommendation as suggested. Further, the suggestion by the\nDirector, Joint Staff concerning the issue of organizing, training, and equipping\njoint capabilities was outside the audit scope.\n\nBecause the respondents have not yet established a process for timely revision\nand synchronization of DoD policies regarding interoperability and information\nassurance, we redirected the recommendation to the Co-Chair, Interoperability\nSenior Review Panel, whose membership consists of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics; the ASD(C3I); the Joint\nStaff; the USJFCOM; the Director for Programs, Analysis, and Evaluation; and\nthe Director, Operational Test and Evaluation, and request that the Co-Chair\nprovide additional comments on how and when the Interoperability Senior\nReview Panel will establish a timely revision and synchronization process.\n\n2. We recommend that the Co-Chair, Interoperability Senior Review\nPanel, in concert with the applicable membership of the Interoperability\nSenior Review Panel, define the term significant interoperability deficiency,\nand establish criteria and procedures for placing a DoD system with a\nsignificant interoperability deficiency on the Interoperability Watch List.\n\nDirector, Joint Staff Comments. The Director concurred, subject to the\ninclusion of his comments, and suggested adding the following subparagraphs to\nthe recommendation:\n           a.   Develop Joint Mission Area Architectures based on currently\n                available DoD assets and based on those assets needed to provide\n                the capabilities for the future.\n           b. Provide an analysis branch within each JMA [Joint Mission Area]\n              to assess Requirement Document relevance against known\n              architecture needs.\n\n\n\n\n                                        18\n\x0c           c.   Develop compliant, certified, and standard analysis and predictive\n                tools, such as models or simulations, to assist in verifying the\n                completeness of stated interoperability requirements in mission\n                area architectures.\n\nDirector, Architecture and Interoperability, Office of the ASD(C3I),\nComments. The Director neither concurred nor nonconcurred; however, he\nstated that his office is working with the Office of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics; the Director, Operational\nTest and Evaluation; and the Joint Staff to develop procedures for addressing\ninteroperability deficiencies within existing processes. Further, he stated that\nhis office will continue to work with the Interoperability Senior Review Panel to\nrefine the process for identifying programs with interoperability deficiencies and\nfor nominating those programs as candidates for the Interoperability Watch List.\nThe Director stated that, because the Interoperability Watch List is a relatively\nnew oversight tool, the development of appropriate criteria and procedures for\nplacing programs on the Interoperability Watch List is still in the formative\nstages.\n\nIn addition, the Director stated that the Air Force\xe2\x80\x99s Situational Awareness Data\nLink program was pursued as an initial pilot case for nomination to the\nInteroperability Watch List. He stated that the lessons learned from that pilot\ncase will be applied as other programs are explored for Interoperability Watch\nList consideration.\n\nDirector, Operational Test and Evaluation Comments. The Director\npartially concurred, stating that, as a member of the Interoperability Senior\nReview Panel, his office continues to work with the other members on refining\nthe Interoperability Watch List processes. Further, he stated that the\nInteroperability Watch List is one of many tools available within DoD to address\ninteroperability problems. The Director also stated that the Interoperability\nWatch List policy states that the list will be used for those systems with\ninteroperability issues that are not being adequately addressed by other forums.\n\nThe Director stated that the Interoperability Senior Review Panel has served a\nvaluable role over the last 18 months by coordinating interoperability policies\nand actions across DoD and by working within existing forums to solve issues.\nFor example, the Interoperability Senior Review Panel worked with the Office\nof the Deputy Under Secretary of Defense for Advanced Systems and Concepts,\nOffice of the Under Secretary of Defense for Acquisition, Technology, and\nLogistics to ensure that interoperability is stressed within advanced concept\ntechnology demonstrations to avoid problems in the transition of these\nexperimental items to the force.\n\nIn addition, the Director stated that the criteria for Interoperability Watch List\ncandidates suggested by the report were certainly a start and that his office and\nthe Interoperability Senior Review Panel would use those criteria to evaluate\nfuture candidates. He also stated that the report cited the Director, Operational\nTest and Evaluation\xe2\x80\x99s Annual Report to Congress as a source of systems for the\nInteroperability Watch List.\n\n\n\n                                        19\n\x0cIn conclusion, the Director stated that, although he believed that those systems\nin the Annual Report already received adequate attention through test and\nevaluation oversight and other acquisition review processes, he would bring\nprograms under test and evaluation oversight that were not adequately\naddressing interoperability to the attention of the Interoperability Senior Review\nPanel for its consideration.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nstated that the Interoperability Senior Review Panel will continue to refine the\nprocess and procedures to implement the Interoperability Watch List. Further,\nhe stated that the Interoperability Senior Review Panel\xe2\x80\x99s pilot case in 2001 was\nthe Air Force\xe2\x80\x99s Situational Awareness Data Link program. The Co-chair stated\nthat the Interoperability Senior Review Panel determined that the Situational\nAwareness Data Link had significant interoperability issues. In addition, he\nstated that the visibility, which the Interoperability Senior Review Panel placed\non the Situational Awareness Data Link, caused the Air Force to design an\ninteroperable solution for its close air support aircraft.\n\nThe Co-Chair stated that the Interoperability Senior Review Panel continues to\ninvestigate other programs for the Interoperability Watch List and will work to\nfind solutions within established processes of the Offices of the Joint Staff; the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics; the\nASD(C3I); and the Director, Operational Test and Evaluation before placing a\nsystem on the Interoperability Watch List.\n\nAudit Response. The comments of the Director, Joint Staff; the Director,\nArchitecture and Interoperability, Office of the ASD(C3I); and the Director,\nOperational Test and Evaluation were responsive. However, the suggestion that\nthe Director, Joint Staff made concerning the subparagraphs to the\nrecommendation should be proposed to the Interoperability Senior Review Panel\nfor defining criteria, processes, and procedures for the Interoperability Watch\nList.\n\nEven though the Director, Interoperability, Office of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics and the Inspector General,\nUSJFCOM did not comment on the recommendation, the comments by the\nCo-Chair, Interoperability Senior Review Panel satisfied the requirement to\ncomment because those offices are represented on the Interoperability Senior\nReview Panel.\n\nIn addition to investigating other programs for the Interoperability Watch List\nand working to find solutions within established processes before placing a\nsystem on the Interoperability Watch List, the Interoperability Senior Review\nPanel should have a clearly defined process and criteria for the Interoperability\nWatch List to work effectively. The specific criteria, processes, and procedures\nshould be included in DoD instructions so that combat and materiel developers\nunderstand the ramifications of their systems not being interoperable.\nTherefore, we redirected the recommendation to the Co-Chair, Interoperability\nSenior Review Panel, and request that he provide additional comments on how\n\n\n\n                                    20\n\x0cand when the Interoperability Senior Review Panel will establish a clearly\ndefined process and criteria for placing DoD weapon systems in the\ndevelopment phase of the acquisition process on the Interoperability Watch List.\n\n3. We recommend that the Co-Chair, Interoperability Senior Review\nPanel, in concert with the applicable membership of the Interoperability\nSenior Review Panel, ensure that the Commander, U.S. Joint Forces\nCommand, pursuant to DoD Instruction 4630.8, \xe2\x80\x9cProcedures for\nInteroperability and Supportability of Information Technology (IT) and\nNational Security Systems (NSS),\xe2\x80\x9d May 2, 2002, and the Chairman of the\nJoint Chiefs of Staff Instruction 6212.01B, \xe2\x80\x9cInteroperability and\nSupportability of National Security Systems, and Information Technology\nSystems,\xe2\x80\x9d May 8, 2000, as part of the operational requirements document\ninteroperability certification process:\n\n       a. Compares the operational requirements documents of proposed\nDoD systems with joint mission area architectures, as they are completed,\nagainst the other operational requirements documents in the related joint\nmission area architecture to verify the completeness of stated\ninteroperability requirements.\n\nInspector General, USJFCOM Comments. The Inspector General neither\nconcurred nor nonconcurred; however, he stated that the recommendation is not\nachievable without the Joint Staff\xe2\x80\x99s completion of the joint mission area\narchitectures. Further, he stated that USJFCOM recognizes that the\ndevelopment of the joint mission area architectures is critical when comparing\nrequirements across programs and will continue to pursue this need separately\nand collectively in all available forums. In addition, the Inspector General\nrecommended that the recommendation be changed for accuracy to read:\n           Compare the operational requirements documents of proposed DoD\n           systems with JMA [Joint Mission Area] architectures, as they are\n           completed, against the other operational requirements documents in\n           the related joint mission area architecture to verify the completeness\n           of stated interoperability requirements.\n\nThe Inspector General suggested this new recommendation because USJFCOM\nwas not resourced to execute Recommendations 3.a. and 3.b.\n\nDirector, Joint Staff Comments. The Director stated that the USJFCOM was\nrequired to review only operational requirements documents as standalone\ndocuments for compliance with capstone requirements documents. Further, he\nstated that USJFCOM does not have the authority or resources to provide a\nmore in-depth review of operational requirements documents for interoperability\nwithin the respective family of systems. Further, the Director suggested that the\nrecommendation be changed for accuracy to read:\n           Compare all relevant requirements documents of proposed DoD IT\n           [Information Technology] and NSS [National Security System] (to\n           include SAP [Special Access Program]) systems with JMA [Joint\n           Mission Area] architectures, as they are completed, against all other\n\n\n\n                                        21\n\x0c           operational requirements documents in the related joint mission area\n           architecture to verify the completeness of stated interoperability\n           requirements.\n\nDirector, Architecture and Interoperability, Office of the ASD(C3I),\nComments. The Director agreed with the underlying premise of the\nrecommendation. However, the Director believes that the recommendation\nshould have indicated that, before the Joint Forces Command can conduct an\neffective comparative analysis of operational requirements:\n\n       \xe2\x80\xa2   the Joint Staff must first define the joint mission areas and\n           subordinate supporting mission areas and\n\n       \xe2\x80\xa2   the DoD Components must develop mission area integrated\n           architectures.\n\nFurther, the Director stated that DoD Instruction 4630.8 assigns to the Joint\nStaff the responsibility to:\n           Ensure mission area integrated architectures, strategies, concepts, and\n           visions of the DoD Components are synchronized to support IT\n           [Information Technology] and NSS [National Security System]\n           interoperability requirements and identify opportunities for, and\n           impediments to, interoperability.\n\nThe Director also stated that, once joint mission and subordinate mission areas\nare defined, the Joint Staff must coordinate with the DoD Components to ensure\nthat DoD develops a consistent and integrated set of mission area integrated\narchitectures across the Military Departments and Defense agencies. He\nproposed that a recommendation be made in the report for the Joint Staff to\nfurther refine existing joint mission areas and to define applicable subordinate\nmission areas to serve as a basis for the DoD Components to develop mission\narea integrated architectures.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nagreed with the concept of the recommendation, stating that the Interoperability\nSenior Review Panel recognizes that the development of the joint mission area\narchitectures is critical to the comparison of requirements across programs.\nFurther, he stated that Interoperability Senior Review Panel will continue to\nemphasize this need separately and collectively in all available forums.\nHowever, the Co-Chair stated that the recommendation, as drafted, is not\nactionable by the Joint Forces Command without Joint Staff completion of the\njoint mission area architectures.\n\nAudit Response. The Inspector General, USJFCOM comments were\nresponsive to the intent of our recommendation. In response to those\ncomments, we revised the recommendation as suggested by the Inspector\n\n\n\n\n                                        22\n\x0cGeneral, USJFCOM. Further, we redirected the recommendation to the\nCo-Chair, Interoperability Senior Review Panel, and request that he provide\nadditional comments on:\n\n       \xe2\x80\xa2   the interim process that the Interoperability Senior Review Panel and\n           USJFCOM will employ to compare the ORDs of proposed DoD\n           systems against the other ORDs in the related mission area\n           architecture to verify the completeness of stated interoperability\n           requirements until the joint mission area architectures are completed;\n           and\n\n       \xe2\x80\xa2   the resources that the Interoperability Senior Review Panel and\n           USJFCOM require to implement the recommendation.\n\nIn response to the Director, Joint Staff comments that USJFCOM does not have\nthe authority or resources to provide a more in-depth review of operational\nrequirements documents, Congress expressed its sense in Section 922, Public\nLaw 105-261, that the commander of a combatant command should be provided\nwith appropriate and sufficient resources for joint warfighting experimentation.\nIt listed the responsibilities and authorities that should accompany that\ndesignation, including improving interoperability and making recommendations\nto the Chairman of the Joint Chiefs of Staff on mission needs statements and\nORDs. Accordingly, if USJFCOM believes that resources are insufficient, it\nshould request the resources needed to fulfill the congressional intent.\n\n       b. Uses quantification analysis and predictive tools, such as models\nor simulations, to assist in verifying the completeness of stated\ninteroperability requirements in mission area architectures.\n\nInspector General, USJFCOM Comments. The Inspector General neither\nconcurred nor nonconcurred; however, he stated that the recommendation was\nnot fully achievable at this time. Further, he stated that, although the software\ntools referenced in the report are under USJFCOM assessment and show\npotential, the software tools must be officially accredited by the Office of the\nSecretary of Defense and the Joint Staff for the verification of joint\ninteroperability requirements in mission area architectures.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nagreed with the concept of the recommendation and provided comments similar\nto those submitted by the Inspector General, USJFCOM.\n\nAudit Response. The Inspector General, USJFCOM comments were\nresponsive to the intent of our recommendation. However, because the software\ntools referenced in the report are under USJFCOM assessment and show\npotential, but have not yet been accredited, we redirected the recommendation to\nthe Co-Chair, Interoperability Senior Review Panel and request that he provide\nadditional comments on:\n\n       \xe2\x80\xa2   when the accreditation process for the software tools will be\n           completed, and\n\n\n                                    23\n\x0c       \xe2\x80\xa2   when the software tools will be made available for the DoD\n           Components to verify joint interoperability requirements of planned\n           weapon systems in mission area architectures.\n\n4. We recommend that the Co-Chair, Interoperability Senior Review\nPanel, in concert with the applicable membership of the Interoperability\nSenior Review Panel:\n\n       a. Update or archive, as applicable, outdated operational\nrequirements documents maintained in the Joint Command, Control,\nCommunications, Computers, and Intelligence Program Assessment Tool\ndatabase.\n\nDirector, Joint Staff Comments. The Director concurred, subject to the\ninclusion of his comments, and suggested that the recommendation be redirected\nto the ASD(C3I); the Director, DISA; and the Commander, USJFCOM, in\naddition to the Director, Command, Control, Communications, and Computers\nSystems Directorate (J-6), Office of the Chairman of the Joint Chiefs of Staff.\nHe stated that the reason for redirecting the recommendation was because:\n\n       \xe2\x80\xa2   JCPAT access and archiving are functional responsibilities of the\n           Defense Information Systems Agency;\n\n       \xe2\x80\xa2   the Office of the ASD(C3I) also uses the JCPAT; and\n\n       \xe2\x80\xa2   as the warfighters advocate for interoperability and integration,\n           USJFCOM should participate in the architecture process to ensure\n           that warfighter needs and interests are met.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nstated that the Interoperability Senior Review Panel supports the position of the\nJoint Staff regarding this recommendation. Specifically, the responsibility for\nthe JCPAT goes beyond the Joint Staff; therefore, the recommendation should\nbe addressed to all departments, agencies, and directorates that use or control\naccess, or both, to the JCPAT. Further, he stated that the Interoperability\nSenior Review Panel will review the policy and guidance associated with the\nJCPAT and make recommendations to appropriate organizations.\n\nAudit Response. The Director, Joint Staff comments were responsive to the\nintent of our recommendation. In response to those comments, we redirected\nthe recommendation as suggested by the Director, Joint Staff. However,\nbecause the Offices of the Chairman of the Joint Chiefs of Staff; the ASD(C3I);\nthe Commander, USJFCOM; and the Director, DISA are represented on the\nInteroperability Senior Review Panel, we redirected the recommendation to the\nCo-Chair, Interoperability Senior Review Panel and request that he provide\ncomments on how those represented offices will update or archive, as\napplicable, outdated ORDs maintained in the JCPAT database.\n\n\n\n\n                                    24\n\x0c      b. Limit Joint Command, Control, Communications, Computers,\nand Intelligence Program Assessment Tool access to users who have a need\nto know.\n\nDirector, Joint Staff Comments. The Director concurred, subject to the\ninclusion of his comments, and suggested that the recommended corrective\naction to limit JCPAT access to users who have a need to know be coordinated\namong the ASD(C3I); the Director, DISA; and Joint Staff directorates. He\nstated that the reason for coordinating the corrective action was because the\nJCPAT is a collaborative database used by the organizations listed in his\nsuggested redirection of the recommendation, as discussed above in\nRecommendation 4.a.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\xe2\x80\x99s\ncomments to Recommendation 4.a. also applied to this recommendation.\n\nAudit Response. The Director, Joint Staff comments were responsive to the\nintent of our recommendation. In response to those comments, we revised and\nredirected the recommendation as he suggested. Therefore, because the Offices\nof the Chairman of the Joint Chiefs of Staff; the ASD(C3I); the Commander,\nUSJFCOM; and the Director, DISA are represented on the Interoperability\nSenior Review Panel, we redirected the recommendation to the Co-Chair,\nInteroperability Senior Review Panel and request that he provide comments on\nhow those represented offices will limit JCPAT access to users having a need to\nknow.\n\n5. We recommend that the Director, Operational Test and Evaluation\ndefine and implement a plan to test critical operational issues, including\ninteroperability and information assurance requirements, for DoD systems\nin the Global Information Grid.\n\nDirector, Operational Test and Evaluation Comments. The Director\npartially concurred, stating that testing of interoperability and information\nassurance takes on more critical status as we continue to transform into a\nnetwork centric force. Further, he stated that his office already ensures that\ninteroperability is tested to support the assessment of key performance\nparameters provided in the operational requirements documents and published\npolicy in 1999 for testing information assurance.\n\nIn addition, the Director stated that his office conducted an assessment in 2000\nto determine requirements for interoperability testing of systems within the\nscope of a larger networked system of systems linked over the Global\nInformation Grid. As a result of this effort and similar initiatives by the Office\nof the Under Secretary of Defense for Acquisition, Technology, and Logistics\nand the Joint Staff, DoD funded an initial capability called the Joint Distributed\nEngineering Plant in the FY 2002 Program Objectives Memorandum. The\nDirector believes that the objective of the Joint Distributed Engineering Plant\ncapability will permit his office to do the testing called for in this\nrecommendation. However, expanded funding for the Joint Distributed\nEngineering Plant beyond that recommended in the Program Objectives\n\n\n                                    25\n\x0cMemorandum is required before the Plant will provide the full scope called for\nin this recommendation. Further, he stated that interoperability and information\nassurance are key enablers for the future.\n\nCo-Chair, Interoperability Senior Review Panel Comments. The Co-Chair\nagreed, providing comments similar to those by the Director, Operational Test\nand Evaluation concerning testing of interoperability and information assurance\nand testing to support the assessment of key performance parameters provided in\nthe operational requirements documents. Further, he stated that the\nInteroperability Senior Review Panel supports the development of necessary test\ncapabilities to represent relevant aspects of the Global Information Grid that will\nallow programs to test in a system of systems environment. The Co-Chair also\nstated that the Offices of the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics; the ASD(C3I); and the Director, Operational Test\nand Evaluation support expanded funding in the upcoming Program Objectives\nMemorandum for the Joint Distributed Engineering Plant, which will allow\ncost-effective testing of critical operational issues, including interoperability and\ninformation assurance requirements, for DoD systems in the Global Information\nGrid.\n\n\n\n\n                                     26\n\x0cAppendix A. Scope and Methodology\n   We reviewed documentation dated from March 1992 to July 2002. During the\n   audit policies continued to be updated. To accomplish the audit objective, we:\n\n          \xe2\x80\xa2   interviewed and obtained documentation from the staffs of the Under\n              Secretary of Defense for Acquisition, Technology, and Logistics; the\n              Under Secretary of Defense (Comptroller); the Assistant Secretary of\n              Defense (Command, Control, Communications, and Intelligence); the\n              Director, Operational Test and Evaluation; the Office of the Joint\n              Chiefs of Staff; the U.S. Joint Forces Command; the Defense\n              Information Systems Agency; and the Joint Interoperability Test\n              Command.\n\n          \xe2\x80\xa2   reviewed the processes that the Office of the Secretary of Defense,\n              the Office of the Chairman of the Joint Chiefs of Staff, and the\n              Defense agencies used for certifying DoD systems for\n              interoperability and information assurance and whether those\n              processes were effectively implementing DoD information\n              interoperability and information assurance policies.\n\n   Subsequent reports will discuss the adequacy of interoperability key\n   performance parameters in operational requirements documents and the\n   certification process for DoD system interoperability within the Army, the\n   Navy, the Air Force, and the unified combatant commands.\n\n   We performed this audit from September 2001 through July 2002 in accordance\n   with generally accepted government auditing standards. We did not review the\n   management control program because the audit focused on interoperability and\n   information assurance requirements and review processes; therefore, our scope\n   was limited to those specific requirements and processes.\n\n   General Accounting Office High-Risk Area. The General Accounting Office\n   has identified several high-risk areas in the DoD. This report provides coverage\n   of the DoD weapon systems acquisition high-risk area.\n\n   Use of Computer-Processed Data. We did not rely on computer-processed\n   data to perform this audit.\n\n   Use of Technical Assistance. A computer specialist from the Technical\n   Assessment Division, Office of the Assistant Inspector General for Auditing of\n   the Department of Defense, assisted the auditors in reviewing information\n   assurance requirements.\n\n\n\n\n                                      27\n\x0cPrior Coverage\n     During the last 5 years, the General Accounting Office (GAO), the Inspector\n     General of the Department of Defense (IG DoD), and the Defense Science\n     Board have issued five reports addressing interoperability and information\n     assurance requirements for Defense systems. Unrestricted General Accounting\n     Office and Inspector General of the Department of Defense reports can be\n     accessed at http://www.gao.gov and http://www.dodig.osd.mil/audit/reports,\n     respectively.\n\n     General Accounting Office\n            GAO Report No. NSIAD-98-73, \xe2\x80\x9cJoint Military Operations: Weakness\n            in DoD\xe2\x80\x99s Process for Certifying C4I Systems\xe2\x80\x99 Interoperability,\xe2\x80\x9d March\n            1998\n\n     Inspector General of the Department of Defense\n            IG DoD Report No. D-2001-176, \xe2\x80\x9cSurvey of Acquisition Manager\n            Experience using the DoD Joint Technical Architecture in the\n            Acquisition Process,\xe2\x80\x9d August 22, 2001\n\n            IG DoD Report No. D-2001-121, \xe2\x80\x9cUse of the DoD Joint Technical\n            Architecture in the Acquisition Process,\xe2\x80\x9d May 14, 2001\n\n            IG DoD Report No. 98-023, \xe2\x80\x9cImplementation of the DoD Joint\n            Technical Architecture,\xe2\x80\x9d November 18, 1997\n\n     Defense Science Board\n            Defense Science Board Task Force, \xe2\x80\x9cProtecting the Homeland, Report\n            of the Defense Science Board Task Force on Defensive Information\n            Operations, 2000 Summer Study, Volume II,\xe2\x80\x9d March 2001\n\nOther Matters of Interest\n     Key Performance Parameter. Although information assurance is not required\n     to be a KPP in operational requirements documents, without them, milestone\n     decision authorities increase the risk that weapon systems program managers\n     will not achieve secure information exchanges before planned production\n     decisions. We suggested to the Joint Staff (J-8) that information assurance be\n     established as mandatory KPP. The J-8 responded that interoperability was the\n     only mandatory KPP and that KPPs were driven by the capabilities deemed most\n     essential by the warfighter and validated by the requirements authority in\n     accordance with guidance in Chairman of the Joint Chiefs of Staff\n     Instruction 3170.01B, \xe2\x80\x9cRequirements Generation System,\xe2\x80\x9d April 15, 2001.\n\n\n\n                                       28\n\x0cFurthermore, the J-8 stated that the Chairman of the Joint Chiefs of Staff\nInstruction 3170.01B does require information assurance for most information\ntechnology systems and, in some cases, information assurance has been made a\nKPP. For example, the Global Information Grid Capstone Requirement\nDocument requires information assurance as a KPP. Therefore, ORDs for\nprograms operating within the GIG must have information assurance\nrequirements, including designating information assurance as a KPP, as\nappropriate.\n\nInformation Assurance Strategies. DoD policy requires chief information\nofficers to review and confirm that the information assurance strategy is\nconsistent with DoD policies, standards, and architectures. The ASD(C3I) is\nrequired to review the information assurance strategy for all major DoD systems\nbefore the milestone decision authority approves the DoD system for entry into\nthe next acquisition phase. The ASD(C3I) uses a checklist based on the Defense\nInformation Technology Security Certification Accreditation Process to review\ninformation assurance strategies.\n\nOver the past 2 years, the ASD(C3I) has reviewed and had input on\napproximately 40 programs. The ASD(C3I) could not provide the number of\ninformation assurance strategies that had been disapproved, but commented that\nthe goal was to work with program managers toward successful information\nassurance strategies. For non-acquisition DoD systems such as those developed\nfrom advanced concept technology demonstrations, the designated milestone\ndecision authority is required to certify that the system complies with the\nDefense Information Technology Security Certification Accreditation Process\nprocedures before approving the system for fielding. Accordingly, chief\ninformation officers, program managers, and testers must be knowledgeable of\nthose procedures. However, a requirement did not exist for the ASD(C3I) to\nprovide oversight for those non-acquisition DoD systems to verify that the\nsystems had an information assurance strategy and were accredited.\n\nBeginning in July 2002, the National Security Telecommunication and\nInformation Systems Security Policy requires that all U. S. Government\ndepartments limit the acquisition of commercial off-the-shelf information\nassurance and information assurance-enabled products to those that have been\nevaluated and validated in accordance with the:\n\n       \xe2\x80\xa2   Common Criteria,\n\n       \xe2\x80\xa2   National Information Assurance Partnership Evaluation and\n           Validation Program, and\n\n       \xe2\x80\xa2   Federal Information Processing Standards Publications Validation\n           Program.\n\nThe ASD(C3I) stated that chief information officers, program managers, and\ntesters in Defense agencies and Military Departments will have to execute the\npolicy.\n\n\n\n                                   29\n\x0cAppendix B. Definitions of Technical Terms\n   Acquisition Category. An acquisition category determines an acquisition\n   program\xe2\x80\x99s level of review, decision authority, and applicable procedures. The\n   acquisition categories consist of I, major Defense acquisition programs; IA,\n   major automated information systems; II, major systems; III, programs not\n   meeting the criteria for acquisition categories I, IA, or II; and IV, programs\n   designated as such by the Army, Navy, and Marine Corps.\n\n   Advanced Concept Technology Demonstration. An advanced concept\n   technology demonstration is used to determine the military utility of proven\n   technology and to develop the concept of operations that will optimize\n   effectiveness. Advanced concept technology demonstrations are not themselves\n   acquisition programs, but are designed to provide a residual, usable capability\n   upon completion, and possibly transition into acquisition programs. Funding is\n   programmed to support the demonstration for up to 2 years in the field.\n\n   Architecture. An architecture is the structure of components, their\n   interrelationships, and the principal guidelines governing their design and\n   evolution over time.\n\n   Capstone Requirements Document. A capstone requirements document is a\n   document that contains capabilities-based requirements for developing individual\n   ORDs by providing a common framework and operational concept to guide their\n   development. It is an oversight tool containing overarching requirements for a\n   system-of-systems or family-of-systems.\n\n   Combat Developer. A combat developer is the command or agency that\n   formulates doctrine, concepts, organization makeup, materiel requirements, and\n   objectives. Generically, it represents the user community role in the materiel\n   acquisition process.\n\n   Command, Control, Communications, Computers, and Intelligence Support\n   Plan. A C4I support plan describes system dependencies and interfaces in\n   sufficient detail to enable program managers and operational testers to test\n   interoperability key performance parameters derived from information exchange\n   requirements.\n\n   Command, Control, Communications, Computers, and Intelligence\n   Surveillance and Reconnaissance Architecture Framework. The C4I\n   surveillance and reconnaissance architecture framework provides rules,\n   guidance, and product descriptions for developing and presenting different\n   architectural views of a given system to ensure a common denominator for\n   understanding, comparing, and integrating architectures across DoD.\n\n   Critical Operational Issue. A critical operational issue is a key operational\n   effectiveness issue or operational suitability issue that must be examined in the\n   operational test and evaluation to determine the system\xe2\x80\x99s capability to perform\n   its mission.\n\n                                       30\n\x0cDefense Acquisition Executive Summary. The Defense Acquisition Executive\nSummary is a multi-part document, which reports program information and\nassessments; program manager, program executive office, and Component\nacquisition executive comments; and cost and funding data primarily for\nAcquisition Category I programs.\n\nDefense-in-Depth. Defense-in-depth integrates the capabilities of people,\noperations, and technology to establish multi-layer, multi-dimension protection\nof networked systems. The concept is to deploy defenses at multiple locations\nin successive layers in the protected information environment. Defense\xe2\x80\x93in\xe2\x80\x93\ndepth focuses on the local computing environments (or enclaves), enclave\nboundaries, networks that link enclaves, and supporting infrastructures.\n\nDevelopmental Test and Evaluation. Developmental test and evaluation is any\nengineering type of test used to verify the status of technical progress, verify\nthat design risks are minimized, substantiate achievement of contract technical\nperformance, and certify readiness for initial operational testing. Generally,\nthose tests are instrumented and measured by engineers, technicians, or soldier\noperator-maintainer test personnel in a controlled environment to facilitate\nfailure analysis.\n\nGlobal Information Grid. The Global Information Grid provides the\nfoundation for network-centric warfare, information superiority, decision\nsuperiority, and ultimately, full spectrum dominance. The GIG includes any\nsystem, equipment software, or service that transmits information to, receives\ninformation from, routes information among or interchanges information among\nother equipment, software, and services. Non-GIG Information Technology is\nstand-alone, self-contained, or embedded information technology that is not or\nwill be connected to the enterprise network.\n\nInformation Assurance. Information assurance is information operations that\nprotect and defend the information and information systems by ensuring their\navailability, integrity, authenticity, confidentiality, and nonrepudiation.\nInformation assurance provides for the restoration of information systems by\nincorporating protection, detection, and reaction capabilities.\n\nInformation Exchange Requirements. Information exchange requirements\ncharacterize the information exchanges to be performed by a proposed system\nand identify who exchanges what information with whom, why the information\nis necessary, and how the users will employ that information.\n\nInformation Technology. Information technology includes any equipment or\ninterconnected system or subsystem of equipment that is used in automatic\nacquisition, storage, manipulation, management, movement, control, display,\nswitching, interchange, transmission, or reception of data or information.\nInformation technology includes computers, software, firmware, ancillary\nequipment and similar procedures, services, and related resources.\n\nInformation Warfare. Information warfare is used to achieve information\nsuperiority by affecting adversary information, information-based processes,\n\n\n                                   31\n\x0cinformation systems, and computer-based networks while defending one\xe2\x80\x99s own\ninformation, information-based processes, information systems, and\ncomputer-based networks.\n\nInteroperability. Interoperability is the ability of systems, units, or forces to\nprovide services to or accept services from other systems, units, or forces and to\nuse the services so exchanged to operate effectively together.\n\nInteroperability Certification Process. The interoperability certification\nprocess consists of two interoperability certifications; the first for requirements\nand supportability documents and the second for interoperability certification\ntesting. The Chairman of the Joint Chiefs of Staff (J-6) and the Joint\nInteroperability Test Command are responsible for requirements and\nsupportability document certification and for interoperability certification\ntesting, respectively.\n\nInteroperability Senior Review Panel. The Interoperability Senior Review\nPanel recommends programs and systems deemed to have significant\ninteroperability deficiencies for the Interoperability Watch List. The Panel is\ncomposed of the staffs from the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics; the ASD(C3I); the Director, Operational Test and\nEvaluation; the USJFCOM, and the Joint Staff.\n\nJoint Distributed Engineering Plant. The Joint Distributed Engineering Plant\nis a DoD-wide effort to link existing Defense agencies and Military Departments\nand joint combat system engineering and test sites (including design activities,\nsoftware support activities, test and evaluation facilities, training commands,\nand operational units). The Joint Distributed Engineering Plant is designed to\nimprove the interoperability of weapon systems and platforms through rigorous\ntesting and evaluation in a replicated battlefield environment.\n\nJoint Mission Area. A joint mission area is a functional group of joint tasks\nand activities that share a common purpose and facilitate joint force operations.\n\nJoint Operational Architecture. A joint operational architecture describes\ntasks and activities, operational elements, and information flows required to\naccomplish or support military operations; defines types of information\nexchanged, frequency of exchange, which tasks and activities are supported by\ninformation exchanges, and nature of information exchanges in detail sufficient\nto ascertain specific interoperability requirements.\n\nJoint Requirements Oversight Council. The Joint Requirements Oversight\nCouncil assists the Chairman of the Joint Chiefs of Staff in identifying and\nassessing the priority of joint military requirements (including existing systems\nand equipment) to meet the national military strategy. The council, chaired by\nthe Vice Chairman of the Joint Chiefs of Staff and consisting of all the Vice\nChiefs of the Military Departments including the Assistant Commandant of the\nMarine Corps, directly supports the Defense Acquisition Board through review,\nvalidation, and approval of key cost, schedule, and performance parameters at\n\n\n\n                                     32\n\x0c        the start of the acquisition process, before each milestone review, and as\n        requested by the Under Secretary of Defense for Acquisition, Technology, and\n        Logistics.\n\n        Joint Systems Architecture. The joint systems architecture identifies and\n        describes those DoD systems and their interconnections needed to accomplish\n        the tasks and activities described in the Joint Operational Architecture.\n\n        Joint Technical Architecture. The joint technical architecture is a common set\n        of mandatory information technology standards, which are primarily interface\n        standards and guidelines to be used by all emerging systems and systems\n        upgrades, including advanced concept technology demonstrations. The joint\n        technical architecture can be used to establish a system\xe2\x80\x99s technical architecture,\n        and is applicable to all C4I and automated information systems and the\n        interfaces of other key assets, such as weapon systems and sensors, with C4I\n        systems.\n\n        Key Performance Parameters. Key performance parameters are capabilities\n        or characteristics so significant that failure to meet the threshold or minimum\n        acceptable value can be cause for the concept or system selected to be\n        reevaluated or for the program to be reassessed or terminated.\n\n        Measure of Effectiveness. A measure of effectiveness is the quantitative\n        expression defined to measure operational capabilities in terms of engagement of\n        battle outcomes.\n\n        Measures of Performance. Measures of performance measure a system\xe2\x80\x99s\n        technical performance expressed as speed, payload, range, time on station,\n        frequency, or other distinctly quantifiable performance features. Several\n        measures of performance may be related to the achievement of a particular\n        measure of effectiveness.\n\n        National Security System. A national security system is any\n        telecommunication or information system operated by the United States\n        Government, whose function, operation, or use involves intelligence activities,\n        cryptologic activities related to national security, command and control of\n        military forces, equipment that is an integral part of a weapon system, or is\n        critical to the direct fulfillment of military or intelligence missions.\n\n        Network-Centric Warfare. Network-centric warfare14 allows a warfighting\n        force to achieve improved information positions in the form of common\n        operational pictures that provide the basis for shared situational awareness and\n        knowledge, and a resulting increase in combat power.\n\n        Operational Architecture View. The operational architecture view is a\n        description of the tasks and activities, operational elements, and information\n\n14\n An in-depth discussion of network-centric warfare is provided in the book, Network Centric Warfare:\nDeveloping and Leveraging Information Superiority, 2nd Edition (Revised), by David S. Alberts, John J.\nGarstka, and Frederick P. Stein, C4I Surveillance and Reconnaissance Cooperative Research Program,\nAugust 1999.\n\n                                                 33\n\x0cflows required to accomplish or support a military operation. This architecture\nview defines the types of information exchanged, the frequency of exchange,\nwhich tasks and activities are supported by the information exchanges, and the\nnature of information exchanges in detail sufficient to ascertain specific\ninteroperability requirements.\n\nOperational Effectiveness. Operational effectiveness is the overall degree of\nmission accomplishment of a system when representative personnel use the\nsystem in the environment planned or expected for operational employment of\nthe system, considering organization, doctrine, tactics, survivability,\nvulnerability, and threat.\n\nOperational Requirements Document. The operational requirements\ndocument states the user\xe2\x80\x99s objectives and minimum acceptable requirements for\nthe operational performance of a proposed concept or system.\n\nOperational Suitability. Operational suitability is the degree to which a system\ncan be placed satisfactorily in field use with consideration being given to\navailability, compatibility, transportability, interoperability, reliability, wartime\nusage rates, maintainability, safety, human factors, manpower supportability,\nlogistic supportability, natural environmental effects, documentation, and\ntraining requirements.\n\nOperational Test and Evaluation. Operational test and evaluation is field\ntesting, under realistic conditions, of any item or component of weapons,\nequipment, or munitions to determine their effectiveness and suitability for use\nin combat by typical military users and the evaluation of the results of such\ntests.\n\nPlanning, Programming, and Budgeting System. The Planning,\nProgramming, and Budgeting System is the primary resource allocation process\nof DoD. It is a formal, systematic structure for making decisions on policy,\nstrategy, and the development of forces and capabilities to accomplish\nanticipated missions.\n\nProgram. A program is an acquisition funded by research, development, test\nand evaluation or procurement appropriations, or both, with the express\nobjective of providing a new or improved capability in response to a stated\nmission need or deficiency.\n\nProgram Objectives Memorandum. The Program Objectives Memorandum is\nan annual memorandum, which the DoD Component Heads submit to the\nSecretary of Defense, that recommends the total resource requirements and\nprograms within the parameters of the Secretary of Defense\xe2\x80\x99s fiscal guidance.\n\nRisk. Risk is a combination of the likelihood that a threat will occur, the\nlikelihood that a threat occurrence will result in an adverse impact, and the\nseverity of the resulting adverse impact.\n\n\n\n\n                                     34\n\x0cSystem. A system is the organization of hardware, software, materiel,\nfacilities, personnel, data, and services needed to perform a designated function\nwith specified results, such as the gathering of specified data, its processing, and\ndelivery to users.\n\nSystem-of-Systems. System-of-systems, also known as a family-of-systems, is\nseveral independent programs which, when integrated, form a system to meet\nthe needs of a broad mission area such as missile defense. The performance of\nthe individual component programs making up the system-of-systems is\nspecified in the respective program ORDs; the overarching requirements for the\nsystem-of-systems is contained in a CRD.\n\nSystems Architecture View. The systems architecture view is a description,\nincluding graphics, of systems and interconnections providing for, or\nsupporting, warfighting functions. This architecture view associates physical\nresources and their performance attributes to the operational view and its\nrequirements in accordance with standards defined in the technical architecture.\n\nTechnical Architecture View. The technical architecture view is the minimum\nset of rules governing the arrangement, interaction, and interdependence of\nsystem parts or elements, whose purpose is to ensure that a conformant system\nsatisfies a specified set of requirements. This architecture view includes a\ncollection of the technical standards, conventions, rules, and criteria organized\ninto profile(s) that govern system services, interfaces, and relationships for\nparticular systems architecture views and that relate to particular operational\nviews.\n\nTest and Evaluation Master Plan. The test and evaluation master plan\n(TEMP) documents the overall structure and objectives of the test and\nevaluation program. It provides a framework within which to generate detailed\ntest and evaluation plans and it documents schedule and resource implications\nassociated with the test and evaluation program. The TEMP identifies the\nnecessary developmental test and evaluation, operational test and evaluation, and\nlive-fire test and evaluation activities. Further, the TEMP relates program\nschedule, test management strategy and structure, and required resources to\ncritical operational issues, critical technical parameters, objectives and\nthresholds documented in the operational requirements document, evaluation\ncriteria, and milestone decision points.\n\nTest Integration Working Group. The Test Integration Working Group\nfacilitates the integration of test requirements through close coordination\nbetween the materiel developer, combat developer, logistician, and\ndevelopmental and operational testers to minimize development time and cost,\nand preclude duplication between developmental and operational testing.\n\n\n\n\n                                    35\n\x0cAppendix C. Interoperability Action Plan of the\n            Under Secretary of Defense for\n            Acquisition, Technology, and\n            Logistics for Command and\n            Control Systems15\n\n                                                                                                       100%\n        Interoperability\n\n\n\n                                                    New and Enhanced Legacy Systems\n                                                                  4\n\n\n\n\n                                                         Policies, Directives, Processes,\n     Phaseout Legacy                                     Standards, and Architectures 2\n     (FIOP) (JI&I) (JDEP) 3\n\n\n\n\n                                          Doctrine, Organization (Training, Tactics, Techniques, Procedures),\n                                          Leadership, Personnel, and Facilities 1\n\n\n 2000                2001                        2003              2005                                     2008\n                                                                                              Legacy command and\n                   Policy               Overarching battle         \xe2\x80\x9cReadily Resolvable\xe2\x80\x9d       control\n                   modifications        management/                interoperability           interoperability\n                   and transition       command and                problems solved for        problems resolved;\n                   plans in place       control begin to           legacy command and         Interoperability\n                                        take effect                control systems            institutionalized in\n                                                                                              processes and\n                                                                                              Architectures\n\n\n15\n The numbers in the diagram relating to the elements required to achieve interoperability are described\non the next page.\n\n\n                                                   36\n\x0cAccording to the Director of Interoperability, Office of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics, the following four major\nelements are needed to achieve interoperability for command and control\nsystems.\n\n       1. Doctrine, organization, training, tactics, techniques and procedures,\n          leadership, personnel, facilities, which form the foundation for any\n          military operation.\n\n       2. Policies, directives, processes, standards, and architectures without\n          which real progress is impossible. Policies are necessary; however\n          they are not sufficient.\n\n       3. To transition from legacy DoD systems to the future vision,\n          overarching battle management command and control programs are\n          necessary to provide for legacy DoD systems\xe2\x80\x99 integration and\n          transition to the desired interoperability state. Those overarching\n          programs are:\n          \xe2\x80\xa2 The Family of Interoperable Operational Pictures (FIOP), which\n              will provide for systems engineering solutions for achieving\n              interoperability of more than 30 critical battle management\n              command and control systems (fielded and in development),\n              within appropriate \xe2\x80\x9ccommunities of shared interest,\xe2\x80\x9d from the\n              combatant commander to the soldier, sailor, marine, airman, and\n              coalition partners, including the seams between the Single\n              Integrated Air Picture, a Single Integrated Ground Picture, a\n              Single Integrated Maritime Picture, and the Common Operational\n              Picture/Common Tactical Picture.\n          \xe2\x80\xa2 The Joint Interoperability and Integration (JII) reviews legacy and\n              future systems\xe2\x80\x99 interoperability requirements in the total context\n              of doctrine, operations, training, materiel, logistics, personnel,\n              and facilities, and is tied to an \xe2\x80\x9cInteroperability Transition Fund\xe2\x80\x9d\n              intended to focus on priority interoperability fixes.\n          \xe2\x80\xa2 The Joint Distributed Engineering Plant (JDEP) is designed to\n              improve interoperability through distributed testing and\n              evaluation involving the Services, DoD Components, and\n              eventually industrial and allied resources.\n       4. New systems such as the Joint Tactical Radio System will contribute\n          to the interoperability solution. Many marginally interoperable\n          legacy systems will be phased out. The Quadrennial Defense Review\n          and the normal Planning, Programming, and Budgeting System\n          process should be used to determine priorities and funding for those\n          systems.\n\nThe Under Secretary of Defense for Acquisition, Technology, and Logistics,\nestimates that if the overarching programs did not transition from the legacy to\nthe future vision, the time to achieve the desired interoperability state would\nmost likely double.\n\n\n                                    37\n\x0cAppendix D. Global Information Grid\n   Global Information Grid. The GIG provides the foundation for network-\n   centric warfare, information superiority, decision superiority, and ultimately full\n   spectrum dominance as depicted below.\n\n\n\n\n   Global Information Grid as the Foundation for Achieving Full Spectrum\n   Dominance\n   Source: Capstone Requirements Document for the GIG\n\n\n   The concept of the GIG evolved from concerns about the interoperability and\n   end-to-end integration of automated information systems. Issues such as\n   streamlined management and improved information infrastructure investment\n   also contributed to the heightened interest in a GIG. However, the real demand\n   for a GIG originates from the requirement for information and decision\n   superiority to achieve full spectrum dominance, as expressed in Joint\n   Vision 2020. The ability to achieve shared situational awareness and knowledge\n   among all elements of a joint force, including allied and coalition partners, is\n   increasingly viewed as a cornerstone to transform future warfighting\n   capabilities.\n\n   Network-Centric Warfare. The GIG capstone requirement document states\n   that network-centric warfare allows a warfighting force to achieve improved\n   information positions in the form of common operational pictures that provide\n   the basis for shared situational awareness and knowledge, and a resulting\n   increase in combat power.\n\n   Information Superiority. Information superiority is the capability to collect,\n   process, and disseminate an uninterrupted flow of information while exploiting\n   or denying an adversary\xe2\x80\x99s ability to do the same. Information superiority is\n   achieved in a noncombat situation or one in which there are no clearly defined\n   adversaries when friendly forces have the information necessary to achieve\n\n                                         38\n\x0coperational objectives. Information superiority provides the joint force with a\ncompetitive advantage only when it is effectively translated into superior\nknowledge and decisions. The joint force must be able to take advantage of\nsuperior information converted to superior knowledge to achieve \xe2\x80\x9cdecision\nsuperiority.\xe2\x80\x9d\n\nDecision Superiority. Decision superiority is to arrive at better decisions and\nimplemented faster than an opponent can react, or in a noncombat situation, at a\ntempo that allows the force to shape the situation or react to changes and\naccomplish its mission. Decision superiority does not automatically result from\ninformation superiority. Organizational and doctrinal adaptation, relevant\ntraining and experience, and the proper command and control mechanisms and\ntools are equally necessary.\n\nFull Spectrum Dominance. The transformation of the joint force to reach full\nspectrum dominance rests upon information superiority as a key enabler and our\ncapacity for innovation. The label full spectrum dominance implies that U.S.\nForces are able to conduct prompt, sustained, and synchronized operations with\ncombinations of forces tailored to specific situations and with access to and\nfreedom to operate in all domains: space, sea, land, air, and information.\nAdditionally, given the global nature of our interests and obligations, the United\nStates must maintain its overseas presence forces and the ability to rapidly\nproject power worldwide in order to achieve full spectrum dominance.\n\n\n\n\n                                    39\n\x0cAppendix E. Multiple Factors Affecting the\n            Implementation of Interoperability\n            Requirements in the Weapon\n            System Development Process\n   The following diagram shows the complex relationships governing the\n   development of an interoperable system. The diagram shows four relationships\n   for achieving interoperability.\n\n          \xe2\x80\xa2   People and Organizations. Organizations with responsibility for\n              verifying and validating interoperability requirements before\n              production decisions are shown in the diagram. Milestone decision\n              authorities can not approve DoD systems for production before\n              interoperability requirements are determined and tested.\n\n          \xe2\x80\xa2   Policies. Program managers of DoD systems need to comply with\n              numerous policies, doctrines, and architectures that define how the\n              systems must operate in different environments and circumstances\n              around the world. Therefore, combat developers must clearly depict\n              the doctrine, training, organizations, soldiers, facilities, and\n              relationship of the system to joint and allied systems before\n              developing and acquiring a system.\n\n          \xe2\x80\xa2   Integrated Testing Environments. Military Departments need test\n              facilities and equipment to test the achievement of interoperability\n              requirements for a DoD system in development. To realistically test\n              how a system will interoperate in a joint and allied environment as\n              envisioned in the GIG and Joint Vision 2020, additional equipment\n              and resources may be required or shared with integrated testing\n              environments.\n\n          \xe2\x80\xa2   Cost. The Planning, Programming, and Budgeting System is a\n              structured process that results in funding for DoD systems. Materiel\n              developers of DoD systems attempt to maintain the planned\n              acquisition strategy. If the acquisition strategy is not maintained,\n              adjustments to the funding process should be made that are not\n              always possible because of other DoD funding priorities.\n\n   All of the relationships must be met for a DoD system to meet the user\xe2\x80\x99s\n   requirement for interoperability.\n\n\n\n\n                                      40\n\x0c                                              Multiple Factors Affecting the Implementation\n                                                of Interoperability Requirements in the\n                                                 Weapon Systems Development Process\n                                                                                                         Integrated Testing\n            People and Organizations                                               DoD Sy                   Environment\n                                                                                         st       ems                                 ACTDs and\n        CINCs                                                              Informa                  Global                            Experimentation\n                                    JCS                                              tion As\n        USJFCOM                                                                             surance\n                                                                                                    Information\n                                       (J-6)(J-8) (J-3)\n\n\n\n\n                                                                                     ent\n                                         USD (AT&L)                                                 Grid\n\n\n\n\n                                                                                           Law\n      USD Comptroller\n\n\n\n\n                                                                                  ipm\n                                          ASD C3I\n\n\n\n\n                                                                                            cy/\n\n\n                                                                              E qu\n                                                Military Department CIOs\n\n\n\n\n                                                                                       Poli\n     Combat Developers                                                                                            Testing\n     (Authors of ORDs)                                                                                                               Facilities\n                                                    DOT&E\n                                                     DISA/JITC                                                       g\n                                                                                                                     ic\n     Materiel Developers                                                                                      a i nin\n                                                        Milestone\n                                                                                                             e\n                                                                                                           st\n                                                                                                           R\n\n\n\n\n41\n                                                        Decision Authority\n                                                                                                         Su alist\n                                                                                                                                                  Interoperability\n                           Doctrine                                                                                                               in DoD Systems\n                                                            DoD Instruction 5000 series\n\n\n\n\n                  n\n                                                            DoD Instruction 4630 series\n\n\n\n\n               tio\n                                                            CJCS Instruction 3170.01B\n\n\n\n\n             ali\n                                                            CJCS Instruction 6212.01B\n\n\n\n\n           Co\n                        int\n                                                            Military Department Regulations\n\n\n\n\n                       ce\n\n\n                     Jo\n                                       JCS J-6\n\n\n\n\n                 e rvi\n                                       Certification\n\n\n\n\n                S\n                                                                                                                          Congress\n                                       (CJCSI 6212.01B)\n                                                                                                                          PPBS\n       Joint Vision           Architecture\n        2020\n                                                            CINCs\n\n\n\n\n                                          Op\n                                            e ra\n                                                            Missions\n\n\n\n\n                           Sys\n\n                             T  e\n                                                            Coalitions\n\n\n\n\n                                  c\n                                               tion\n\n                               tem\n       Policies                                                                                   Cost\n\n\n                                     s\n                                                   al\n\n\n\n\n                                    hni\n                                        cal\n\x0cAcronyms\n\nACTD                Advanced Concept Technology Demonstration\nCINC                Commander-in-Chief\nCJCSI               Chairman of the Joint Chiefs of Staff Instruction\nCIO                 Chief Information Officer\nDODI                Department of Defense Instruction\nDOT&E               Director, Operational Test and Evaluation\nJCS                 Joint Chiefs of Staff\nJ-3                 Director for Operations, Joint Chiefs of Staff\nJ-6                 Director for Command, Control, Communications and Computers\n                        Systems, Joint Chiefs of Staff\nJ-8                 Director for Force Structure, Resources, and Assessments, Joint\n                        Chiefs of Staff\nJITC                Joint Interoperability Test Command\nPPBS                Planning, Programming, and Budgeting System\nUSD(AT&L)           Under Secretary of Defense for Acquisition, Technology, and\n                        Logistics\nUSD (Comptroller)   Under Secretary of Defense (Comptroller)/Chief Financial Officer\nUSJFCOM             U.S. Joint Forces Command\n\n\n\n\n                                   42\n\x0cAppendix F. Interoperability and Information\n            Assurance Policies\n   The following discusses relevant DoD and Joint Staff policies on interoperability\n   and information assurance.\n\n   Interoperability Policy. DoD Directive 4630.5, \xe2\x80\x9cInteroperability and\n   Supportability of Information Technology (IT) and National Security Systems\n   (NSS)\xe2\x80\x9d January 11, 2002; DoD Instruction 4630.8, \xe2\x80\x9cProcedures for\n   Interoperability and Supportability of Information Technology (IT) and National\n   Security Systems (NSS),\xe2\x80\x9d May 2, 2002; DoD Instruction 5000.2, \xe2\x80\x9cOperation of\n   the Defense Acquisition System,\xe2\x80\x9d April 5, 2002; DoD Regulation 5000.2-R,\n   \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs (MDAPs) and\n   Major Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d April 5,\n   2002; Chairman of the Joint Chiefs of Staff Instruction 3170.01B,\n   \xe2\x80\x9cRequirements Generation System,\xe2\x80\x9d April 15, 2001; and Chairman of the Joint\n   Chiefs of Staff Instruction 6212.01B, \xe2\x80\x9cInteroperability and Supportability of\n   National Security Systems, and Information Technology Systems,\xe2\x80\x9d May 8,\n   2000, provide policy on interoperability.\n\n           DoD Directive 4630.5. DoD Directive 4630.5 requires that information\n   technology and national security systems\xe2\x80\x99 interoperability and supportability\n   needs be identified through the requirements definition and validation process,\n   during the acquisition process, and updated as necessary throughout the system\xe2\x80\x99s\n   life. Those requirements will be specified to a level of detail that allows\n   verification of interoperability throughout a system\xe2\x80\x99s life. Also, those\n   requirements will be characterized through operational mission area integrated\n   architectures, operational concepts, and capstone requirements documents\n   (CRDs) derived from joint mission areas and business and administrative\n   mission areas. The joint operational architecture, the joint systems architecture,\n   and the joint technical architecture serve as the foundation for development of\n   operational mission area integrated architectures. Operational mission area\n   integrated architectures connect information technology and the national security\n   systems\xe2\x80\x99 interoperability and supportability requirements in a family-of-systems\n   and system-of-systems context. Information technology and national security\n   systems\xe2\x80\x99 information exchange requirements and associated interoperability key\n   performance parameters (KPPs) are to be derived from the operational view of\n   the mission area integrated architecture. Further, DoD is required to develop,\n   acquire, and deploy C3I systems and equipment for U.S. Forces that are\n   compatible with existing and planned C3I systems.\n\n           DoD Instruction 4630.8. DoD Instruction 4630.8 requires that joint,\n   combined, coalition, and interagency missions must be supported through\n   interoperable information technology and national security systems in global\n   operations across the peace-conflict spectrum. All information technology and\n   national security systems for U.S. Forces use are to be considered for use by\n   joint, allied, and other U.S. Government departments and agencies.\n   Information technology and national security systems\xe2\x80\x99 interoperability and\n\n\n                                       43\n\x0csupportability requirements are to be identified through the mission area\nintegrated architectures. Interoperability requirements are required to be\nmanaged, evaluated, and reported throughout the life of the system. All DoD\nacquisition category programs will use a C4I support plan to document\ninteroperability requirements. Additionally, interoperability and supportability\nrequirements are required to be balanced with the need for information\nassurance. The DoD Components are required to submit mission need\nstatements, CRDs, ORDs, and C4I support plans for all information technology\nand national security system acquisitions or procurements to the Joint Staff for\nreview to comply with joint policy, doctrine, and interoperability requirements.\nAdditionally, requirements documents are to be reviewed by the Director,\nDefense Information Systems Agency for compliance with the DoD Joint\nTechnical Architecture.\n\nFurthermore, the Joint Staff is to develop, approve, and direct the use of the\nJoint Mission Area-based Joint Operational Architecture and direct its use when\ndeveloping information technology and national security systems\xe2\x80\x99\ninteroperability requirements. The Instruction states that the Director,\nOperational Test and Evaluation is to develop policy and processes to test and\nevaluate information technology and national security systems in order to\naccurately assess the level of interoperability of the tested system with the\nintended family-of-systems with which it must operate. Additionally, the\nDirector, Operational Test and Evaluation is required to confirm that the TEMP\nhas identified information technology and national security systems\xe2\x80\x99\ninteroperability requirements for programs tested under the Director,\nOperational Test and Evaluation\xe2\x80\x99s oversight.\n\n       DoD Instruction 5000.2. DoD Instruction 5000.2 states that the user\nrepresentative, with support from the operational test and evaluation community,\ndevelops the needs expressed in the mission need statement into requirements in\nthe form of CRDs, if applicable, and ORDs. CRDs contain capabilities-based\nrequirements to develop individual ORDs that provide a common framework\nand operational concept. The CRD is an oversight tool that establishes\noverarching requirements for a family of systems. Validated ORDs translate the\nmission needs statement and, if applicable, CRDs into broad, flexible, and\ntime-phased operational goals that are further detailed and refined into specific\noperational capability requirements in the final ORD. The appropriate\nrequirements authority validates all mission needs statements, CRDs, and\nORDs.\n\n        DoD Regulation. DoD Regulation 5000.2-R states that, during the\nrequirements generation process, users will develop interoperability KPPs for all\nCRDs and ORDs. In developing the ORD, the ORD sponsor considers using\nthe products described in the C4 I Surveillance and Reconnaissance Architecture\nFramework and universal resources such as the joint technical architecture. The\njoint operational architecture and the joint technical architecture serve as the\nfoundation for evolutionary development of those mission area integrated\narchitectures. Mission area integrated architectures are to state information\ntechnology and national security systems\xe2\x80\x99 interoperability requirements in a\nfamily-of-systems mission area context. The user is to derive family-of-system\n\n\n                                   44\n\x0cinformation technology and national security systems information exchange\nrequirements from the operational information exchange requirements of the\nmission area integrated architecture.\n\nFurther, the regulation requires the overarching integrated product team to\nassess family-of-system or system-of-system capabilities for DoD systems within\nmission areas in support of mission area operational architectures developed by\nthe Joint Staff before milestone decisions. Further, the ORD sponsor is to\ncharacterize information interoperability, as applicable, within a family-of-\nsystems, a mission area, and a mission for all information technology and\nnational security systems. Available mission area integrated architectures are to\nbe used to develop information technology and national security systems\xe2\x80\x99\ninteroperability requirements. The regulation also states that the joint\noperational architecture and the joint technical architecture serve as the\nfoundation for evolutionary development of mission area integrated\narchitectures. The implementation of the joint technical architecture is required\nfor all new, or changes to existing, information technology systems, including\nNational Security systems.\n\nThe regulation also requires that all major Defense acquisition programs,\nprograms on the Office of the Secretary of Defense Test and Evaluation\nOversight list, legacy systems, and all programs and systems that must be\ninteroperable with them be subject to interoperability evaluations throughout\ntheir life cycles to validate their ability to support mission accomplishment. At\ntheir discretion, the Under Secretary of Defense for Acquisition, Technology,\nand Logistics; the ASD(C3I); the Chairman of the Joint Chiefs of Staff ; the\nCommander, USJFCOM; and the Director, Operational Test and Evaluation can\nplace programs and systems deemed to have significant interoperability\ndeficiencies on the Interoperability Watch List (Watch List). Program managers\nwith a program on the Watch List must take corrective actions to address\nidentified interoperability deficiencies to remove their programs from the Watch\nList.\n\nThe regulation requires that, for programs on the Watch List, program\nmanagers will provide periodic updates of their status towards correcting\nidentified deficiencies to senior representatives of Under Secretary of Defense\nfor Acquisition, Technology, and Logistics; ASD(C3I); the Director,\nOperational Test and Evaluation; the USJFCOM; and the Joint Staff. The\nprogram managers of DoD systems, or other cognizant officials, and the\nresponsible test organization (either developmental or operational), in\nconjunction with JITC, are to provide those updates. Those updates are to\nsupport an assessment on whether interoperability issues are being adequately\naddressed, and whether a status change is warranted; for example, whether the\nprogram or system should be removed from the Watch List, kept on the Watch\nList, or proposed for Director, Operational Test and Evaluation oversight. Staff\nmembers of the Under Secretary of Defense for Acquisition, Technology, and\nLogistics; the ASD(C3I); the Director, Operational Test and Evaluation; the\nUSJFCOM; and the Joint Staff are to prepare quarterly reports summarizing the\nactivities of systems and programs on the Watch List.\n\n\n\n                                   45\n\x0c        Joint Staff Instruction 3170.01B. Chairman of the Joint Chiefs of Staff\nInstruction 3170.01B requires that the Joint Staff J-6 certify mission need\nstatements, CRDs, and ORDs, regardless of acquisition category, for\nconformance with joint C4I policy and doctrine, technical architectural integrity,\nand interoperability standards. The Joint Staff J-6 is to review and comment on\ninteroperability KPPs and coordinate C4I issues concerning mission need\nstatements, capstone requirement documents, and ORDs with the appropriate\nagencies.\n\nThe Joint Staff J-6 is to forward for coordination the C4I interoperability\nrequirements certification to the Joint Requirement Oversight Council for major\nDoD acquisition programs, major automated information systems, and special\ninterest programs or to the sponsoring DoD Component for major systems and\nbelow programs. Failure for those systems to meet a KPP threshold in an ORD\ncan be a reason for the system selection to be reevaluated or for the program to\nbe reassessed or terminated.\n\n        Joint Staff Instruction 6212.01B. Chairman of the Joint Chiefs of Staff\nInstruction 6212.01B requires the USJFCOM to provide comments to the Joint\nStaff J-6 on interoperability issues for all acquisition category programs to\nensure that each ORD contains interoperability KPPs and information exchange\nrequirements. Furthermore, commanders of combatant commands, Military\nDepartments, and Defense agencies are to incorporate interoperability testing\ninto their overall testing plans in coordination with the Defense Information\nSystems Agency (DISA) and Joint Interoperability Test Center (JITC). In\naddition, JITC is to certify test results for all interoperability system tests.\n\n       DoD Chief Information Officer Memorandum. In DoD Chief\nInformation Officer Guidance and Policy Memorandum No. 8-8001,\nMarch 31, 2000, the DoD Chief Information Officer authorizes the Director,\nOperational Test and Evaluation to include critical operational issues addressing\ninteroperability and information assurance in the Global Information Grid\noperational test and evaluation.\n\nInformation Assurance Policy. DoD Regulation 5000.2-R, DoD\nInstruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification and\nAccreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997; Chairman of the Joint\nChiefs of Staff Instruction 3170.01B; Chairman of the Joint Chiefs of Staff\nInstruction 6510.01C, \xe2\x80\x9cInformation Assurance and Computer Network\nDefense,\xe2\x80\x9d May 1, 2001; and Director, Operational Test and Evaluation\nmemorandum, \xe2\x80\x9cPolicy for Operational Test and Evaluation of Information\nAssurance,\xe2\x80\x9d November 17, 1999, provide policy on information assurance.\n\n       DoD Regulation. DoD Regulation 5000.2-R requires program\nmanagers to incorporate information assurance requirements into program\ndesign functions to ensure availability, integrity, authenticity, confidentiality,\nand nonrepudiation of critical system information. Further, program managers\nare to manage information systems using the best processes and practices to\nreduce security risks, including the risks to timely accreditation.\n\n\n\n                                    46\n\x0cFurthermore, the regulation requires that information assurance testing be\nconducted on information systems to ensure that planned and implemented\nsecurity measures satisfy ORD and System Security Authorization Agreement\nrequirements when the system is installed and operated in its intended\nenvironment. The program manager, operational test and evaluation authority,\nand designated approving authority are to coordinate and determine the level of\nrisk associated with operating the system and the extent of security testing\nrequired. Requirements to reconstitute or recover information system\ncapabilities damaged by information assurance threat agents are also to be tested\nduring operational test and evaluation.\n\nThe regulation requires that all weapon, command, control, communications,\ncomputers, intelligence, surveillance, and reconnaissance, and information\nprograms that are dependent on external information sources, or that provide\ninformation to other DoD systems, be assessed for information assurance. The\nlevel of information assurance testing depends on the system risk and\nimportance. Systems with the highest importance and risk are to be subject to\npenetration-type testing prior to the beyond low-rate initial production decision.\nSystems with minimal risk and importance are to be subject to normal National\nSecurity Agency security and developmental testing, but not subject to field\npenetration testing during operational test and evaluation.\n\n        DoD Instruction. DoD Instruction 5200.40 establishes the DoD\nInformation Technology Security Certification and Accreditation Process for\nsecurity certification and accreditation of unclassified and classified information\ntechnology. The Process sets forth the activities and management structure to\ncertify and accredit information technology systems that will maintain the\nsecurity posture of the Defense Information Infrastructure. The Process\nrequires a System Architecture Analysis, which requires the system architecture\nto comply with the Systems Security Authorization Agreement architecture\ndescription. The interfaces between this and other systems are to be identified\nand the interfaces evaluated to assess their effectiveness in maintaining the\nsecurity posture of the infrastructure.\n\n        Joint Staff Instruction 3170.01B. Chairman of the Joint Chiefs of Staff\nInstruction 3170.01B states that information assurance is required for all DoD\nsystems that are used to enter, process, store, display, or transmit DoD\ninformation, regardless of classification or sensitivity. Information assurance\nrequirements are to be codeveloped and coevolved with those for information\ninteroperability.\n\n         Joint Staff Instruction 6510.01C. Chairman of the Joint Chiefs of Staff\nInstruction 6510.01C provides joint policy and guidance for information\nassurance and computer network defense operations. Information assurance is\ncritical to the military\xe2\x80\x99s ability to conduct warfare and is the responsibility of all\nwarfighters. Because of the universal nature of the Global Information Grid, a\nrisk assumed by one organization, at any organization level, can be a risk\nimposed on all DoD organizations. Accordingly, the requirement for\nimplementing information assurance is at all organization levels. The primary\nmethod of using information assurance is through the defense-in-depth strategy.\n\n\n                                     47\n\x0cTo prevent a potential breakdown of barriers and an invasion of the innermost\nor most valuable parts of the system, successive layers and safeguards must be\nconstructed at different locations in the system. Those different locations are\nexpressed as local computing networks, enclave boundaries, networks, and\nsupporting infrastructures. Through a deliberate risk analysis process, program\nmanagers can make effective risk management decisions to ensure that the most\neffective defense-in-depth strategy, given the resources available, is deployed.\nAdditionally, all DoD Components are required to establish an active risk\nmanagement and mitigation program for information and information-based\nprocesses, and information systems, such as command, control,\ncommunications, and computer systems; weapon systems; and information\ninfrastructures used by military forces. The associated information is to be\nprotected based on the value of the information contained in the system and the\nrisks associated with its compromise or loss.\n\n        Director, Operational Test and Evaluation Memorandum. The\nDirector\xe2\x80\x99s memorandum establishes policy for operational test and evaluation of\ninformation assurance for all Director, Operational Test and Evaluation\noversight programs, including weapon systems, C4I surveillance and\nreconnaissance systems, and information systems. The policy applies to\nacquisition programs that have not reached the production decision. The policy\ncontains a four-step process to review information assurance during operational\ntest and evaluation, as follows.\n\n       \xe2\x80\xa2   Requirements, Threat, and Test Documentation Review. During\n           this step, the Director, Operational Test and Evaluation determines\n           the relevance of information-assurance testing based on requirements,\n           and assesses vulnerabilities and the importance of program functions\n           and missions.\n\n       \xe2\x80\xa2   Test Strategy Development. For those programs that were not\n           waived in the Step One review, the Director, Operational Test and\n           Evaluation conducts a paper vulnerability assessment as part of the\n           normal test strategy development using experts, program office\n           personnel, operational test activity representatives, and users to\n           define the degree to which operational information assurance testing\n           is warranted. Test plans are not to be approved unless they contain a\n           well-defined strategy for addressing information assurance concerns,\n           adequate resources, and appropriate measures against which to test\n           stated requirements. Those programs with operational test and\n           evaluation waivers for information assurance are to note the waiver\n           in their TEMP and test plan.\n\n       \xe2\x80\xa2   Review of Information Assurance Development Test and\n           Evaluation and Computer Security Certification Results Before\n           Entry into Operational Test and Evaluation. For those systems\n           considered to possess potentially high or unknown residual\n           information assurance risk, the operational test activities are to\n           examine development test and evaluation and Defense Information\n\n\n\n                                   48\n\x0c    Technology Security Certification Accreditation Process data,\n    including any concurrent operational assessments that may have\n    already occurred, in judging the effectiveness of that system.\n\n\xe2\x80\xa2   Evaluation of Information Assurance Vulnerabilities During\n    Operational Test. Those programs that have undergone Steps One,\n    Two, and Three and are still judged to have a high or unknown\n    vulnerability are to be subject to field testing as part of the initial\n    operational test and evaluation.\n\n\n\n\n                             49\n\x0cAppendix G. DoD System Interoperability\n            Requirements Review Process\nThe C4I Surveillance and Reconnaissance Architecture Framework documents how\narchitectures are created. Once an architecture is created, KPPs in the ORD are\ndefined. The following flow chart shows the interoperability certification review\nprocess. The interoperability certification review process has three stages.\n\n\n                                                             (d)                               (e)                      (f)\n                  Department submits               USJFCOM                                USJFCOM                  Subject\n                        ORD                           J-8                                    J-6                   Matter\n                                                                                                                   Expert\n\n             ORD entered              (a)\n             into the JCPAT                                             (g)         JITC\n                                                                                    Plans and Policy                          (h)\n                                                                                     Division                JITC\n                                                               (d)                                           Database\n\n                                    (b)\n          Joint Chiefs\n          of Staff (J-8)\n                                                       DISA                                                                   (h)\n                                                                                                             Checklist\n                                                                              Service processes\n          Joint Chiefs\n                              (c)                                                 ORD\n          of Staff (J-6)\n                                                       (i)                     No\n                                                                                                       (j)         Competes\n                                                               Yes                       ORD                       for funds\n            No                      Certified for                                        Approval                  (PPBS)\n                                    Interoperability\n                                        by J-6                                                               Yes              (k)\n                                               Approved ORD is not always reentered into the JCPAT\n\n\n\n\nStage One16\n          (a) The Defense agency or Military Department enters the ORD, regardless of\n              the acquisition category, into the JCPAT.\n\n          (b) The acquisition category I ORD is forwarded the to the Force Structure,\n              Resources, and Assessment Directorate J-8 (Joint Staff J-8), who staffs the\n              requirement with the members of the Joint Requirement Oversight Council.\n\n16\n     Stage lasts 35 days.\n\n\n                                                                   50\n\x0c          (c) The acquisition category II and below ORD is staffed with the Command,\n              Control, Communications, and Computers Systems Directorate J-6 (Joint\n              Staff J-6).\n\n          (d) The Joint Staff J-6 staffs the acquisition category II and below ORD with\n              DISA and the USJFCOM J-8.\n\n          (e) The USJFCOM J-8 staffs the document with the USJFCOM J-6\n\n          (f) The USJFCOM J-6 directs subject-matter experts review the ORD from a\n              warfighter perspective to verify that GIG requirements are in the ORD. The\n              USJFCOM J-6 receives comments from the subject-matter expert and then\n              forwards those and any additional comments back through the chain to the\n              Joint Staff J-6.\n\n          (g) DISA staffs the ORD through the Plans and Policy Division which then\n              determines the lead JITC division. That division assigns a specific\n              subject-matter expert to review the ORD from a technical perspective. After\n              the review, the Plans and Policy Division consolidates comments on the ORD\n              from the subject-matter expert with those from other JITC divisions.\n\n          (h) JITC subject\xe2\x80\x93matter experts use a checklist to ensure that their mission need\n              statements, CRDs, ORDs, C4I support plans, and TEMPs meet DoD policy\n              requirements. Based on the results of the checklist review, comments are\n              entered in the JITC database and forwarded to the Joint Staff J-6 through the\n              DISA. The JITC database maintains historical data on documentation for\n              DoD systems until operational testing is completed. JITC uses the data in its\n              database and information from other sources such as symposiums, field\n              demonstrations, or program managers to identify interoperability and\n              information assurance requirements.\n\nStage Two17\n          (i) If the Joint Staff J-6 does not certify the ORD in stage one, the ORD, with\n              comments, is returned to the Defense agency or Military Department for\n              resolution of interoperability issues. After the issues identified in stage one\n              are resolved, stage two, which is the same process as stage one, begins. If no\n              deficiencies are found by the Joint Staff J-6, the ORD may be certified for\n              interoperability.\n\n          (j) After certification for interoperability, the Joint Staff J-6 returns the ORD to\n              the Military Department or the Defense agency, as applicable. The Military\n              Department or the Defense agency is responsible for ORD approval.\n\n\n\n\n17\n     Stage two lasts 21 days.\n\n\n                                                51\n\x0c      (k) When the ORD is approved, the requirement competes for funding in the\n          Planning, Programming, and Budgeting System process. However, no\n          requirement exists for Military Departments or Defense agencies to submit\n          the final approved ORD to be updated in the JCPAT.\n\nStage Three18\n        Stage III is the posting of the Acquisition Category II or III Milestone Decision\n        Authority approved mission need statements, CRD, or ORD. Approved\n        documents are filed in the JCPAT with the Joint Staff J-6 certification letter.\n\n\n\n\n18\n Stage three suspense is 15 days after the Joint Requirements Oversight Council or the milestone\ndecision authority approves the mission need statement, CRD, or ORD and posting the document into the\nJCPAT, according to the Chairman of the Joint Chiefs of Staff Instruction 6212.01B.\n\n\n                                                 52\n\x0cAppendix H. Organizations with Access to the\n            Joint Command, Control,\n            Communications, Computers, and\n            Intelligence Program Assessment\n            Tool\n\nOffice of the Secretary of Defense\nAssistant Secretary of Defense (Command, Control, Communications, and Computers)\nInspector General of the Department of Defense\n\nJoint Staff\nDirector for Intelligence (J-2)\nDirector for Operations (J-3)\nDirector for Logistics (J-4)\nDirector for Strategic Plans and Policy (J-5)\nDirector for Command, Control, Communications, and Computers (J-6)\nDirector for Operational Plans and Interoperability (J-7)\nDirector for Force Structure, Resources, and Assessment (J-8)\n\nDepartment of the Army\nDeputy Chief of Staff Operations and Plans, Headquarters Department of the Army\nCommander, Communications and Electronics Command\nCommander, Executive Agent Theater Joint Tactical Networks\nCommander, Training and Doctrine Command\n\nDepartment of the Navy\nDeputy Assistant Secretary of the Navy\nDeputy Chief of Naval Operations (Resources, Requirements, and Assessments)\nDirector, Equipment and Requirements Division, United States Marine Corps\n\nDepartment of the Air Force\nDeputy Chief of Staff for Air and Space Operations\n\n\n\n\n                                         53\n\x0cUnified Commands\nCommander, U.S. European Command\nCommander, U.S. Pacific Command\nCommander, U.S. Joint Forces Command\nCommander, U.S. Southern Command\nCommander, U.S. Central Command\nCommander, U.S. Space Command\n  North American Aerospace Defense Command\nCommander, U.S. Special Operations Command\nCommander, U.S. Strategic Command\nCommander, U.S. Transportation Command\n\nOther Defense Organizations\nDirector, Operational Test and Evaluation\nDirector, Defense Finance and Accounting Service\nDirector, Defense Intelligence Agency\nDirector, Defense Logistics Agency\nDirector, Defense Information Systems Agency\n   Director for Operations\n   Director for Acquisitions, Logistics, and Facilities\n   Director for Strategic Plans and Policy\n   Director for Engineering and Information\n   Director for Joint Requirement Analysis and Integration\n   Director for Command, Control, Communications, Computers and Intelligence\n      Modeling, Simulation, and Assessment\n   Director for Applications Engineering Directorate\n      Program Planning Office\n   Director for Interoperability\n   Principal Director for Network Services\n   Commander, Joint Interoperability Test Command\n   Commander, Joint Spectrum Center\nCommander, Joint Theater Air and Missile Defense Organization\nDirector, Joint Warfighting Capabilities and Assessment\nCommander, Missile Defense Agency\nDirector, National Imagery and Mapping Agency\nDirector, National Reconnaissance Office\nDirector, National Security Agency\n\n\n\n\n                                       54\n\x0cAppendix I. Response to Office of the Secretary\n            of Defense and Defense Agency\n            Comments Concerning the Report\n     Our detailed response to the comments from the Director, Interoperability,\n     Office of the Under Secretary of Defense for Acquisition, Technology, and\n     Logistics; the Director, Architecture and Interoperability, Office of the\n     ASD(C3I); the Inspector General, Office of the Commander, USJFCOM; the\n     Inspector General, DISA; the Director, Joint Staff; and the Co-Chair,\n     Interoperability Senior Review Panel, on statements in the draft report follow.\n     The complete text of those comments is in the Management Comments section\n     of this report.\n\nUnder Secretary of Defense for Acquisition, Technology, and\n  Logistics Comments on Finding and Audit Response\n     The Director, Interoperability, Office of the Under Secretary of Defense for\n     Acquisition, Technology, and Logistics, commented on the implementation of\n     information assurance and the term \xe2\x80\x9ccombat developers.\n\n     Implementation of Information Assurance. The Director stated that the\n     Conclusion section of the report states that, \xe2\x80\x9c...information assurance must be\n     implemented whenever a system is deemed interoperable...,\xe2\x80\x9d and that the\n     statement is offered as a given. However, he believed that the statement may\n     tend to imply equality of the two related measures. The Director stated that an\n     appropriate qualification might be, \xe2\x80\x9cInformation assurance must be implemented\n     appropriately and commensurate to the level of interoperability required.\xe2\x80\x9d\n\n     Audit Response. We revised the report as suggested.\n\n     Combat Developers. The Director stated that the term \xe2\x80\x9ccombat developers\xe2\x80\x9d\n     was used in the Conclusion section of the report without defining it.\n\n     Audit Response. The term \xe2\x80\x9ccombat developers\xe2\x80\x9d was defined in Appendix B,\n     \xe2\x80\x9cDefinitions of Technical Terms,\xe2\x80\x9d of the report. To clarify the Conclusion\n     section, we added a footnote to also define the term, which refers to the\n     requirements generation process.\n\nAssistant Secretary of Defense (Command, Control,\n  Communications, and Intelligence) Comments on Finding\n     The Director, Architecture and Interoperability, Office of the ASD(C3I)\n     suggested some editorial changes that we considered and made where deemed\n     appropriate.\n\n\n                                        55\n\x0cU.S. Joint Forces Command Comments on Finding and Audit\n  Response\n    The Inspector General, USJFCOM commented on analyzing interoperability and\n    information assurance, conducting analytical or quantitative modeling and\n    simulation, analyzing ORD requirements, comparing the proposed system ORD\n    against the ORDs of the systems with which it must interoperate, providing a\n    joint perspective concerning interoperability and integration, and comparing\n    requirement documents of proposed DoD systems within joint mission area\n    architectures.\n\n    Interoperability and Information Assurance Analysis. The Inspector General\n    stated that the paragraph stating that \xe2\x80\x9cThe Commander, USJFCOM did not\n    analyze interoperability and information assurance requirements in the\n    operational and system architectures for DoD systems as part of the\n    interoperability certification process for ORDs\xe2\x80\x9d does not accurately reflect the\n    requirements review process at the USJFCOM and the required actions as\n    directed by Chairman of the Joint Chiefs of Staff Instructions 3170.01B and\n    6212.01B. Further, USJFCOM does analyze interoperability and information\n    assurance. Without overarching joint mission area architectures, USJFCOM\n    analyzes integration requirements in coordination with Chairman of the Joint\n    Chiefs of Staff Instructions 3170.01B and 6212.01B from known and existing\n    systems as they integrate with existing CRDs.\n\n    Audit Response. As stated in the finding, the analysis of interoperability and\n    information assurance requirements that the USJFCOM subject-matter experts\n    performed for proposed DoD system\xe2\x80\x99s requirements should be made to ORD\n    requirements for other systems that the proposed system will be interoperable\n    with in their intended mission architectures in addition to those requirements\n    contained in existing CRDs.\n\n    Analytical or Quantitative Modeling and Simulation. The Inspector General\n    stated that USJFCOM did not compare ORDs to joint mission architectures\n    before system development started because it did not have the resources to\n    conduct that level of review. Although USJFCOM strongly disagrees that the\n    depth of the ORD review as outlined in the report is a USJFCOM mission,\n    USJFCOM would like to be able to conduct the reviews as outlined in the\n    report, including detailed analysis.\n\n    Audit Response. In Section 922, Public Law 105-261, Congress expressed its\n    sense that the commander of a combatant command should be provided with\n    appropriate and sufficient resources for joint warfighting experimentation. It\n    listed the responsibilities and authorities that should accompany that designation,\n    including improving interoperability and making recommendations to the\n    Chairman of the Joint Chiefs of Staff on mission needs statements and ORDs.\n    Accordingly, if USJFCOM believes that resources are insufficient, it should\n    request the resources needed to fulfill the sense of Congress.\n\n\n\n\n                                        56\n\x0cORD Requirements. The Inspector General stated that the requirement to\nreview ORDs in context with the existing family of systems is not a USJFCOM\nrequirement. Further, the ORD review process, as outlined in Chairman of the\nJoint Chiefs of Staff Instructions 3170.01B and 6212.01B, was to ensure that the\nnew ORDs were interoperable with the future family of systems as outlined or\ndescribed in the CRDs. The CRD details the future system requirements for the\nfamily of systems that include the current and potential innovation resulting\nfrom technology to be added. USJFCOM works with the ORD authors to\nensure that the new ORDs are compliant with the CRDs. Further, the role of\nthe CRDs is to serve as the road map to future interoperability, which is why\nChairman of the Joint Chiefs of Staff Instructions 3170.01B and 6212.01B\nrequire the traceability of ORD requirements to CRD requirements and not to\nthe current or existing systems within the particular family of systems. In\naddition, USJFCOM does realize that additional efforts are required to ensure\ninteroperability and, with additional resources, would want to participate in\nthose efforts. Additionally, DoD lacks a reliable repository of all existing\nfamily of systems information.\n\nAudit Response. USJFCOM had not documented that it lacked:\n\n       \xe2\x80\xa2   resources needed to fulfill its responsibility for assessing\n           interoperability requirements for proposed DoD weapon systems or\n\n       \xe2\x80\xa2   a reliable repository of all existing family of systems information.\n\nUSJFCOM should be proactive in acquiring additional resources to ensure the\ninteroperability of systems and to establish a reliable repository of all existing\nfamily of systems information, as specified in Section 922, Public Law 105-261,\ndiscussed above.\n\nProposed System ORD Comparison. The Inspector General stated that\nsubject-matter experts were not required or authorized to compare the proposed\nsystem ORD against the ORDs of the systems with which it must interoperate.\nFurther, the development of ORDs was the excusive role of the Military\nDepartments and Defense agencies and, even though USJFCOM did have a role\nin the review process, approval was the responsibility of the Joint Requirements\nOversight Council. The report misinterpreted what the actual role of\nUSJFCOM was in the process and grossly overstated the requirements for\nUSJFCOM. However, USJFCOM did concur that, with additional resources, it\ncould improve the interoperability effort in many areas; however, those areas\nwere not its assigned tasks and were unfunded.\n\nAudit Response. The USJFCOM has the authority to obtain additional\nresources to improve interoperability throughout DoD. The Joint Staff\xe2\x80\x99s\n\xe2\x80\x9cUnified Command Plan 1999,\xe2\x80\x9d emphasizes the role of USJFCOM as the chief\nadvocate of jointness and the importance of enhancing jointness and\ninteroperability throughout DoD. As part of its role in transforming U.S.\nArmed Forces to meet the security challenges of the 21st century, USJFCOM\nhas the responsibility to support the development and integration of fully\ninteroperable systems and capabilities, including C4I surveillance and\n\n\n                                    57\n\x0creconnaissance. Further, the sense of Congress, as expressed in Section 922,\nPublic Law 105-261 encourages a combatant commander, such as USJFCOM,\nto be proactive in obtaining appropriate and sufficient resources to fulfill its\nresponsibility for assessing interoperability requirements of proposed DoD\nweapon systems to enable the warfighter to have interoperable systems.\n\nJoint Perspective. The Inspector General suggested that another\nrecommendation be added to Recommendation 4. Specifically, he proposed\nthat the Director, Command, Control, Communications, and Computers\nSystems Directorate (J-6), Office of the Chairman of the Joint Chiefs of Staff:\n           Provide a joint perspective as the Chairman\xe2\x80\x99s advocate for\n           interoperability and integration, to team with the Joint Warfighting\n           Capability Assessments (JWCAs) in developing Joint Mission Area\n           Architectures.\n\nThe Inspector General suggested the new recommendation because joint mission\narea architectures are key to determining the usefulness of systems within DoD.\nFurther, as the warfighters advocate for interoperability and integration,\nUSJFCOM should participate in the architecture process to ensure that\nwarfighter needs and interests are met.\n\nAudit Response. The report did not address the merits of a joint perspective\ninteraction with joint warfighting capability assessments when developing joint\nmission area architectures. However, we will consider addressing that joint\nperspective issue when reviewing interoperability and information assurance\npolicies at the unified command level, in a subsequent audit.\n\nComparison of Requirement Documents. The Inspector General suggested\nthat another recommendation be added to Recommendation 4. Specifically, he\nproposed that the Director, Command, Control, Communications, and\nComputers Systems Directorate (J-6), Office of the Chairman of the Joint Chiefs\nof Staff:\n           Compare requirement documents of proposed DoD systems within\n           JMA [joint mission area] Architectures, as they are completed,\n           against the other requirement documents in their related Joint Mission\n           Area Architecture to verify the completeness of stated interoperability\n           requirements.\n\nThe Inspector General provided the same rationale for this recommendation as\nhe gave for his recommendation to provide a joint perspective, as discussed\nabove.\n\nAudit Response. The report did not specifically address the comparison of\nrequirement documents of proposed DoD systems within joint mission area\narchitectures against the other requirement documents in their related joint\nmission area architecture(s). However, we will consider addressing that\ncomparison issue when reviewing interoperability and information assurance\npolicies at the unified command level, in a subsequent audit.\n\n\n\n                                        58\n\x0cDefense Information Systems Agency Comments on Finding\n  and Audit Response\n    The Inspector General, Defense Information Systems Agency commented on\n    DoD interoperability policy, the Interoperability Watch List, inconsistent DoD\n    policy, conformance with Joint Chiefs of Staff policy, interoperability analysis,\n    access to the JCPAT database, and interoperability certification. In addition,\n    the Inspector General suggested some editorial changes that we considered and\n    made where deemed appropriate.\n\n    DoD Interoperability Policy. The Inspector General stated that DoD\n    Directive 4630.5 and DoD Instruction 4630.8 establish DoD interoperability\n    policy and that:\n\n           \xe2\x80\xa2   the Office of the Under Secretary of Defense for Acquisition,\n               Technology, and Logistics implemented its interoperability\n               responsibilities in DoD Directive 4630.5 and DoD\n               Regulation 5000.2-R, and\n\n           \xe2\x80\xa2   the Joint Staff implemented its interoperability responsibilities in\n               Chairman of the Joint Chiefs of Staff Instructions 3170.01B and\n               6212.01B.\n\n    Further, while ASD(C3I) was revising DoD Directive 4630.5, the Joint Staff\n    rewrote Chairman of the Joint Chiefs of Staff Instruction 6212.01B, which\n    incorporated the intended changes to DoD Directive 4630.5 before its release in\n    January 2002. In addition, the ASD(C3I), as a staff element of the Office of the\n    Secretary of Defense, should be a higher authority than the Joint Chiefs of Staff.\n    Therefore, the Inspector General stated that the report criticism could be that\n    DoD Directive 4630.5 and DoD Instruction 4630.8 were outdated because of\n    developments in architecture frameworks and acquisition documents.\n    Alternatively, one could say, with equal validity, that Chairman of the Joint\n    Chiefs of Staff Instruction 6212.01B:\n\n           \xe2\x80\xa2   was prematurely issued because it was in conflict with DoD\n               Directive 4630.5 and DoD Instruction 4630.8 and\n\n           \xe2\x80\xa2   lacked the authority of DoD Directive 4630.5 and DoD\n               Instruction 4630.8 for the changes.\n\n    Audit Response. The Joint Chiefs of Staff were proactive. The Office of the\n    ASD(C3I) guidance had not been updated for 10 years. As the Inspector\n    General stated, DoD Directive 4630.5 and DoD Instruction 4630.8 were\n    partially outdated because of developments in architecture frameworks and\n    acquisition documents.\n\n    Interoperability Watch List. The Inspector General stated that DoD\n    Instruction 4630.8 did not specifically require the Director, Operational Test\n    and Evaluation to establish criteria for placing DoD weapon systems in the\n\n\n                                        59\n\x0cdevelopment phase of the acquisition process on the Interoperability Watch List.\nFurther, the Interoperability Senior Review Panel was addressing the process for\nthe Interoperability Watch List and had identified a process for nominating\nsystems to the list. The Inspector General also stated that systems had been\nnominated for the Interoperability Watch List, but none were actually put on the\nList to date.\n\nAudit Response. As evidenced in the report, without specific criteria for\nplacing DoD weapon systems on the Interoperability Watch List, the Office of\nthe Secretary of Defense, the Joint Staff, the Defense agencies, and the Military\nDepartments have not placed any DoD weapon systems on the List. This\noccurred even though the Director, Operational Test and Evaluation cited\ninteroperability testing concerns for 21 DoD systems in the FY 2001 Annual\nTest Report.\n\nInconsistent DoD Policy. The Inspector General stated that the Defense\nInformation Systems Agency did not believe that the DoD policy is inconsistent,\nbut rather that the release dates for revision of the various documents were not\nas coordinated as possible. Further, the contents of the various documents were\ncoordinated and are now synchronized and undergoing another review and\nupdate cycle.\n\nAudit Response. Whether or not the release dates for revision of the various\ndocuments were coordinated, DoD Directive 4630.5 and DoD\nInstruction 4630.8 were outdated because of developments in architecture\nframeworks and acquisition documents over the 10-year period between\ndocument updates.\n\nConformance with Joint Chiefs of Staff Policy. The Inspector General stated\nthat Joint Chiefs of Staff policy and instruction should conform to ASD(C3I)\nguidance, not the other way around.\n\nAudit Response. We agree; however, the Joint Staff was proactive in\nimplementing agreed-upon policy needed because of developments in\narchitecture frameworks and acquisition documents.\n\nInteroperability Analysis. The Inspector General recommended revising the\nreport\xe2\x80\x99s statements about the interoperability process because the ORD review\nprocess requires the originator to identify a proposed system\xe2\x80\x99s interoperability\nrequirements in the context of the other systems with which it must interoperate.\n\nAudit Response. Combat developers have neither a complete database of all\nDoD requirement and acquisition documents nor access to all joint mission area\narchitectures to use as a reference when developing ORD interoperability\nrequirements. Accordingly, USJFCOM has an important role in ensuring that\ninteroperability requirements are fully defined in the ORD review process.\n\nAccess to JCPAT Database. The Inspector General stated that the\nthird sentence under the subheading, \xe2\x80\x9cAccess to Database,\xe2\x80\x9d indicated that of\n756 users, 15 were contractor support personnel, and that the fourth sentence\n\n\n                                   60\n\x0c    indicated that DISA could identify the total number of users but could not\n    distinguish DoD from contractor personnel. He concluded that both statements\n    could not be correct.\n\n    Audit Response. The Inspector General was citing statements from the\n    discussion draft of this report, not the draft report. We revised those statements\n    before issuing the draft report.\n\n    Interoperability Certification. The Inspector General stated that the phrase,\n    \xe2\x80\x9cinteroperability certification,\xe2\x80\x9d is ambiguous. Further, he stated that the Joint\n    Staff issues interoperability certifications of requirements and supportability\n    documents, which are two separate types of certifications, and issues system\n    validation memoranda. He also stated that JITC issues system interoperability\n    test certifications based on interoperability testing.\n\n    Audit Response. Page 4, Footnote 2, of the report discussed the two separate\n    types of interoperability certifications. In response to the management\n    comments, we added the term, \xe2\x80\x9cInteroperability Certification Process,\xe2\x80\x9d to\n    Appendix B, \xe2\x80\x9cDefinitions of Technical Terms.\xe2\x80\x9d\n\nJoint Staff Comments on Finding and Audit Response\n    The Director, Joint Staff commented on analyzing interoperability and\n    information assurance requirements; updating the Joint Command, Control,\n    Communications, Computers, and Intelligence Program Assessment Tool\n    (JCPAT); conducting analytical or quantitative modeling and simulation;\n    analyzing ORD requirements; comparing the proposed system ORD against the\n    ORDs of the system with which it must interoperate; developing the Automated\n    Commander-in-Chief Integrated System Tool; and maintaining the database. In\n    addition, the Director suggested some editorial changes that we considered and\n    made where deemed appropriate.\n\n    Interoperability and Information Assurance Analysis. The Director provided\n    comments similar to those made by the Inspector General, USJFCOM, for\n    which we previously provided an audit response.\n\n    JCPAT. The Director stated that the USJFCOM did not update the JCPAT\n    database to include all interoperability certifications, TEMPs, and C4I support\n    plans for DoD systems because those documents were in hard copy form and,\n    therefore, impede interoperability certification. Further, the Director stated that\n    the Joint Staff J-6 maintains a hard copy of programs and documents that\n    predate the JCPAT.\n\n    Audit Response. As indicated in the finding, the older documents in the\n    JCPAT should be archived and all applicable documents should be incorporated\n    into the JCPAT. Archiving and incorporating documents is important because\n    other organizations outside the Joint Staff use the JCPAT to ensure that all\n    information exchange requirements are encompassed in ORDs. Therefore, the\n\n\n\n                                        61\n\x0cJCPAT data need to be complete and accessible. The inclusion of C4I support\nplans and TEMPs in the JCPAT database would help combat developers to more\nfully review and determine system interoperability requirements.\n\nAnalytical or Quantitative Modeling and Simulation. The Director provided\ncomments similar to those made by the Inspector General, USJFCOM, for\nwhich we previously provided an audit response.\n\nORD Requirements. The Director provided comments similar to those made\nby the Inspector General, USJFCOM, for which we previously provided an\naudit response.\n\nProposed System ORD Comparison. The Director provided comments similar\nto those made by the Inspector General, USJFCOM, for which we previously\nprovided an audit response.\n\nAutomated Commander-in-Chief Integrated System Tool. The Director\nstated that the recommended Automated Commander-in-Chief Integrated System\nTool was under development, and DoD had not accepted, approved, or certified\nit. Further, he stated that USJFCOM could evaluate the usefulness of this or\nany other tool that USJFCOM uses in the requirements process.\n\nAudit Response. The report discusses the Automated Commander-in-Chief\nIntegrated System Tool only as a possible automated process to assist\nUSJFCOM in evaluating interoperability requirements in proposed ORDs.\n\nMaintenance of the Database. The Director suggested revising the sentence\nthat discusses searching for interoperability certification documents in the\nJCPAT database. He stated that the reason for the revision was because\nrequirements documents were submitted at each milestone. Further, the\nDirector stated that depending upon the milestone, a particular program may\nhave more than one document. He also stated that a reviewer would have to be\naware of the milestone and the date processed to determine the current\ndocument. However, the Director stated that the Joint Staff agreed that the user\ncould not be assured that the document is the most recently approved or\nvalidated document for Acquisition Category II and below documents. Further,\nhe stated that, because the Joint Requirements Oversight Council was a\nvalidating authority, the Director, Force Structure, Resources, and Assessment\n(J-8) post-validated Acquisition Category I or Joint Staff Issue programs to the\nJ-8 tool. The Director also stated that the validated documents are available in\nboth the J-6 and J-8 tools. In conclusion, he stated that recent changes to the J-6\nJCPAT should alleviate the confusion concerning the availability of up-to-date\nprogram documentation in the JCPAT database.\n\nAudit Response. Even though the Director stated that the validated documents\nare available in the J-6 and J-8 tools and that recent changes to the J-6 JCPAT\nshould alleviate the confusion concerning the availability of up-to-date program\ndocumentation, the user needs assurance that the document located in the\nJCPAT database is the most recently certified document. Therefore, DISA\n\n\n\n                                    62\n\x0c    needs to archive outdated versions of documents so that users can locate and\n    obtain the most up-to-date approved documents for making interoperability\n    determinations for DoD systems.\n\nInteroperability Senior Review Panel Comments on Finding\n   and Audit Response\n    The Co-Chair, Interoperability Senior Review Panel stated that the\n    Interoperability Senior Review Panel consists of senior leaders from the Offices\n    of the Under Secretary of Defense for Acquisition, Technology, and Logistics;\n    the ASD(C3I); the Joint Staff; U.S. Joint Forces Command; the Director for\n    Programs, Analysis, and Evaluation; and the Director, Operational Test and\n    Evaluation. He recognized that the primary objective of this report was to\n    evaluate the Office of the Secretary of Defense and the Defense agencies\xe2\x80\x99\n    implementation of DoD interoperability and information assurance policies, but\n    he stated that the report did not address the issue that DoD is not structured to\n    organize, train, and equip required joint capabilities. The Co-Chair also stated\n    that the Military Departments determine requirements and then resource those\n    requirements based on their individual priorities instead of joint priorities.\n    Further, the Co-Chair stated that interoperability and information assurance for\n    information technology and national security systems should be viewed in the\n    wider context of doctrine, organization, training, material, leadership\n    development, personnel, and facilities instead of only system of systems context\n    or family of systems context, or both. He concluded that joint interoperability\n    requires a synchronized effort and resources across the entire doctrine,\n    organization, training, material, leadership development, personnel, and\n    facilities spectrum.\n\n    Audit Response. As the Co-Chair noted, the report did not address whether\n    DoD is structured to organize, train, and equip required joint capabilities.\n    However, we will consider addressing that structuring issue in a subsequent\n    audit when we review interoperability and information assurance policies at the\n    unified command level. Because certain recommendations required a\n    synchronized effort and resources, we redirected those recommendations to the\n    Co-Chair to coordinate corrective actions to implement policies.\n\n\n\n\n                                        63\n\x0cAppendix J. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n   Deputy Under Secretary of Defense (Acquisition Initiatives)\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nDirector, Operational Test and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n   Director for Command, Control, Communications, and Computers Systems (J-6)\n   Director for Force Structure, Resources, and Assessment (J-8)\n\nDepartment of the Army\nAssistant Secretary of the Army (Acquisition, Logistics, and Technology)\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nUnified Command\nCommander, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\n   Commander, Joint Interoperability Test Command\n\n\n\n\n                                          64\n\x0cNon-Defense Federal Organization\nOffice of Management and Budget\n  Office of Information and Regulatory Affairs\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         65\n\x0c\x0c___________________________________________________________________\n\n\n\nUnder Secretary of Defense for Acquisition,\nTechnology, and Logistics Comments\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Revised\n                                                                      Page 15\n\n\n\n\n                                                                      Revised\n                                                                      Page 15\n\n\n\n\n                                                                      Revised\n                                                                      Page 17\n\n\n\n\n                             67\n\x0c___________________________________________________________________\n\n\n\n\n                             68\n\x0c___________________________________________________________________\n\n\n\nAssistant Secretary of Defense (Command,\nControl, Communications, and Intelligence)\nComments\n\n\n\n\n                             69\n\x0c___________________________________________________________________\n\n\n\n\n                             70\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Revised\n                                                                      Page i\n\n                                                                      Page 5\n\n\n                                                                      Revised\n                                                                      Page 8\n\n\n\n\n                                                                      Page 12\n\n\n\n\n                                                                      Page 15\n\n\n\n\n                             71\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 22\n\n\n\n\n                                            72\n\x0c___________________________________________________________________\n\n\n\nU.S. Joint Forces Command Comments\n\n\n\n\n                             73\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nRevised\nPage 21\n\n\n\n\nPage 23\n\n\n\n\nPage 4\n\n\n\n\nPage 8\n\n\n\n\n                                            74\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Page 8\n\n\n\n\n                             75\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 9\n\n\n\n\nPage 21\n\n\n\n\n                                            76\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Revised\n                                                                      Page 21\n\n\n\n\n                                                                      Page 58\n\n\n\n\n                                                                      Page 58\n\n\n\n\n                             77\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 23\n\n\n\n\n                                            78\n\x0c___________________________________________________________________\n\n\n\nDirector, Operational Test and Evaluation,\nComments\n\n\n\n\n                             79\n\x0c___________________________________________________________________\n\n\n\n\n                             80\n\x0c___________________________________________________________________\n\n\n\nDefense Information Systems Agency Comments\n\n\n\n\n                             81\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 4\n\n\n\n\nPage 5\n\n\n\n\n                                            82\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Page 5\n\n\n\n\n                                                                      Revised\n                                                                      Page 5\n\n\n\n\n                                                                      Page 7\n\n\n\n\n                                                                      Page 7\n\n\n\n                                                                      Page 8\n\n\n\n\n                                                                      Page 10\n\n\n\n\n                             83\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 11\n\n\n\n\nRevised\nPage 4\n\n\n\n\nPage 29\n\n\n\n\nRevised\nPage 64\n\n\n\n\n                                            84\n\x0c___________________________________________________________________\n\n\n\nJoint Staff Comments\n\n\n\n\n                             85\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 4\n\n\n\n\nPage 4\n\n\n\n\nPage 8\n\n\n\n\n                                            86\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Page 8\n                                                                      Paragraph 2\n\n\n\n\n                                                                      Page 8\n                                                                      Paragraph 3\n\n\n\n\n                             87\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nPage 9\n\n\n\n\nPage 9\n\n\n\n\nPage 10\n\n\n\n\nPage 17\n\n\n\n\n                                            88\n\x0c___________________________________________________________________\n\n\n\n\n                                                                      Final Report\n                                                                       Reference\n\n\n\n\n                                                                      Page 18\n\n\n\n\n                                                                      Page 21\n\n\n\n\n                                                                      Revised\n                                                                      Page 21\n\n\n\n\n                                                                      Revised\n                                                                      Page 24\n\n\n\n\n                             89\n\x0c               ___________________________________________________________________\n\n\n\n\nFinal Report\n Reference\n\n\n\n\nRevised\nPage 25\n\n\n\n\nRevised\nPage 50\n\n\n\n\n                                            90\n\x0c___________________________________________________________________\n\n\n\nInteroperability Senior Review Panel Comments\n\n\n\n\n                             91\n\x0c___________________________________________________________________\n\n\n\n\n                             92\n\x0cTeam Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing of the Department of Defense prepared this report. Personnel of the Office of\nthe Inspector General of the Department of Defense who contributed to the report are\nlisted below.\n\n       Mary L. Ugone\n       John E. Meling\n       Jack D. Snider\n       Mark E. Stephens\n       Kevin W. Klein\n       Trisha L. Staley\n       Kelly R. Veith\n       Jacqueline N. Pugh\n\x0c\x0c'